1

In my Login forms I hash username and password before I execute the queries

... class ...

private $username;
private $password;
protected function Login(){
    $user = hash('sha256', $this->username);
    $pass = hash('sha256', $this->password);
    $this query = "..."
    ...
}

and in other kind of forms (like Search forms) I convert the strings to arrays and then I execute the queries, that way the query would look like this:

$searchstring = explode(' ', $search);
//.... Some lines of PHP code... and the resulting query is: ...
$this->query = "SELECT... WHERE name LIKE 'DELETE%' OR name LIKE 'FROM%' ";
$this->query.= " OR name LIKE 'USERS%' OR name LIKE 'WHERE%' OR name LIKE '1%'";

Is this enough to prevent sql injection? thanks

Improve this question
5
  • 7
    Don't use addslashes(). If you use PDO or mysqli use the data binding features. If you are using the mysql_* functions (which you shouldn't) use mysql_real_escape_string(). Commented Aug 15, 2012 at 21:31
  • Use mysql function to escape strings or PDO library (which i personally prefer) Commented Aug 15, 2012 at 21:33
  • @sudowned I feel like puking. Commented Aug 15, 2012 at 21:41
  • 1
    Why hash the username? I would've thought that would raise the risk of collision? Also, you should check with Security, but the usual recommendation is to add a salt, which you would need to retrieve (basically from the password record) before hashing the password. Commented Aug 15, 2012 at 22:27
  • Hashing usernames is at least ridiculous, hash everything and encrypt with random salts so you will never know who is who. Commented Aug 16, 2012 at 0:34

3 Answers 3

Reset to default
5

Don't trust in your own abilities to prevent SQL injection! Many better heads than yours have fallen to it.

Use mysqli or PDO and parameterized queries. This has the side benefit of allowing your database to cache query plans too.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

More a comment than an answer IMHO.
Sometimes you can't say "this is a safe way to do this incredibly unsafe thing you're doing."
+1 : What is it about geeks that they always try to reinvent the wheel?
Yes I will revert my opnion anyway as these other answers are so really bad.
The important part here is parameterized queries because they are good.
|
0

There are some very easy steps you can take to make the code more secure:

$query= mysqli_real_escape_string($database_connection, $user)

this escapes any dangerous characters that can adversely affect SQL string

$query = mysqli_real_escape_string($database_connection, trim($user))

in this step we added the trim function which takes out any whites spaces - which are used to launch SQL Injection attacks

You can see more about this here

Improve this answer

Comments

0

Alternatively you can convert it to binary:

function mssql_escape($data) {
    if(is_numeric($data))
        return $data;
    $unpacked = unpack('H*hex', $data);
    return '0x' . $unpacked['hex'];
}

... If in case you are not on mysql db.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.