5

I have a website hosted on a shared hosting. They have php 5.2.13 installed.

I know the vulnerabilities of SQL Injection and I want to prevent it.

So I want to use PDO or mysqli for preventing it.

But the problem when I used phpinfo(); to view the hosting environment php setup info,
I found that there was no mysql driver for PDO and there was no support for mysqli in it.

So I wanted to know whether it will be safe to use that old mysql_* functions( along with functions like mysql_real_escape_string).

I looked at this one on SO but it wasn't much helpful to me. Prepared statements possible when mysqli and PDO are not available?

UPDATE:

I forgot to mention that most of the queries will be simple. There are no forms used so no user input will be used to make a query. All the queries will be hard coded with necessary parameters and they will not be changed once set.

Improve this question
4
  • 1
    Have you considered using a hosting company that does not give you a crippled PHP setup? Commented Nov 6, 2012 at 8:52
  • It belongs to my friend for whom some other guy was handling all website stuff like designing, purchasing domain and hosting service,etc. Now my friend wants me to maintain his site. Commented Nov 6, 2012 at 8:54
  • PHP 5.2 is not even supported anymore. So using that version already makes the provider bad - you don't simply give your customers an outdated version that is no longer provided with security updates etc. Commented Nov 6, 2012 at 8:56
  • yeah I know I will tell my friend about it and its upto him to decide whether to stay with it or switch to some other provider. Commented Nov 6, 2012 at 8:58

3 Answers 3

Reset to default
4

No. The lack of more secure solutions is never a valid excuse to fall back to a less secure or more vulnerable solution.

You're much better off finding a different hosting provider that doesn't disable arbitrary PHP features even in their shared hosting packages. Oh, and try to get one that uses PHP 5.3, or better yet if you can, PHP 5.4.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

If you're really rigorous about always using mysql_real_escape_string() with all user-supplied input then I think you should be safe from any SQL injection that prepared statements protects you from.

How perfect are you at this? I'll bet most of the buffer overflow vulnerabilities were created by programmers who thought they were good at checking inputs....

Improve this answer

Comments

0

A good way to do that is to implement a Wrapper class for the use of the mysql_* functions, with a few methods to create prepared statements.

The idea is that you must pass strongly-typed parameters in your queries.

For instance, here is a piece of code with the general idea. Of course it needs more work. But that can prevent from SQL Injection attacks if it's fairly implemented.

You can also search for 3rd party libraries that already implement that, because this is common.

<?php

class MyDb
{
  protected $query;

  public function setQuery($query)
  {
    $this->query = $query;
  }

  public function setNumericParameter($name, $value)
  {
    if (is_numeric($value)) // SQL Injection check, is the value really an Int ?
    {
       $this->query = str_replace(':'.$name, $value);
    }
    // else, probably an intent of SQL Injection
  }

  // Implement here the methods for all the types you need, including dates, strings, etc

  public function fetchArray()
  {
     $res = mysql_query($this->query);
     return mysql_fetch_array($res);
  }
}


MyDb $db = new MyDb();
$db->setQuery('SELECT * FROM articles WHERE id = :id');
$db->setNumericParameter('id', 15);

while ($row = $db->fetchArray())
{
// do your homework
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.