What is the best solution for SQL injection security on MySQL? | ansaurus

tags:

views:

695

answers:

4

Q:

What is the best solution for SQL injection security on MySQL?

What is the best function to run my strings through to ensure that MySQL injection is impossible?

Also, will it require running it through another function on the way out to make it display correctly?

See also

Are Parameters really enough to prevent Sql injections?
C# Parameterized Query MySQL with in clause
Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes?

+14 A:

Parameterized Queries

Chad Birch 2009-04-03 16:33:33

+1 that's the way to go. Not just because it avoids SQL injection but it also allows RDBMS to do better query execution plan caching.

ssg 2009-04-03 16:38:16

+1: always works -- makes injection actually impossible. String manipulation only makes it unlikely for all the cases we tested.

S.Lott 2009-04-03 16:43:39

+1: Mush better than trusting your own implementation to not have any edge cases or special syntax vulnerabilities.This also prevents the need to use HTML entities in the database. (I'm looking at you phpBB!)

John Gietzen 2009-04-03 18:51:55

+1 A:

A parameter function.

Humor aside, I mean don't dynamically execute user-entered content as SQL if you can at all avoid it. Pass everything as parameters, and reference them from your query instead. See Chad Birch's answer for a good link explaining this.

lc 2009-04-03 16:33:35

A:

As Chad says, always use parameterized queries to avoid SQL injection.

To answer the second half of your question, if your output is to a web page then always escape any special HTML characters (&, <, >) to protect against script injection.

Alnitak 2009-04-03 16:37:56

A:

Add to parameterized queries the use of input validation within the application. Never trust that the input is clean. Check it. For instance, if it's supposed to be an integer, check to make sure it converts to a numeric value without issue.

K. Brian Kelley 2009-04-03 18:41:37

related questions

Remove Quotes and Commas from a String in MySQL

What's the best way of converting a mysql database to a sqlite one?

How do you manage databases in development, test, and production?

Multiple foreign keys?

Add 1 to a field (MySQL)

Issues using MS Access as a front-end to a MySQL database back-end?

Bigger than a char but smaller than a blob

How do I retrieve my MySQL username and password?

Long-time LAMP Developer moving to VB.NET

How do I Concatenate entire result sets in MySQL?

Full complete MySQL database replication? Ideas? What do people do?

SQL: Distribution of table in time

SQLite vs MySQL

How do I create a new Ruby on Rails application using MySQL instead of SQLite?

Multiple Updates in MySQL

MySQL/Apache Error in PHP MySQL query

What all do I need to escape when sending a (My)SQL query?

Auto Generate Database Diagram MySQL

Mechanisms for tracking DB schema changes

How big can a MySQL database get before performance starts to degrade.

Python and MySQL

SQL Server 2005 implementation of MySQL REPLACE INTO?

How to export data from SQL Server 2005 to MySQL

Throw Error In MySQL Trigger

Binary Data in MySQL