0

I understand that validation in PHP is crucial in order to prevent injection from client end or outside to PHP.

What I wanted to know is, if it is possible to cause injection after PHP has prepared and run the query and before database has received the query? What if the hosting server and the SQL server are different?

Improve this question
4
  • 1
    Why should validation be mandatory to prevent sql injection? You can prevent sql injection even without validation. The result may be an empty one, but that's the fault of the would-be-injector. Commented Jul 26, 2014 at 22:05
  • PHP does not run queries. It sends query instructions to databases and, if appropriate, receives results. In any event, if you are ensuring that the variables have the proper datatypes and you use query parameters, you should be ok on this topic. Commented Jul 26, 2014 at 22:20
  • @DanBracuk - Is this possible for hackers to read the PHP query instructions before it reaches SQL Server? Please share any link you know on this topic. Commented Jul 26, 2014 at 22:26
  • The NSA has done it, so yes - it is possible. Commented Jul 26, 2014 at 22:31

1 Answer 1

Reset to default
3

It's always theoretically possible to tamper with connections between webservers and databases, but it requires that the perpetrator is extremely skilled and obtains access to the network nodes between the webserver and the database.

If he manages to obtain that, you have a whole lot more to worry about than SQL injection.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Your application will probably be running at some webhost that has a datacenter. It's their job to make sure the data that flows through connections between individual servers in the datacenter is kept within the local network and thereby isn't subject to any eavesdropping or tampering by hackers. How computer networks work and how they can be vulnerable is an enormous subject - way too huge to address here. Read books or even better - take a course on computer networking.
I like your explanation and advice. This place is indeed quite a school. If possible, try to share some link that can be followed for further study. Many thanks.
There should be tons of resources. My textbook when I had computer networking class was "Computer Networking - a top down approach" by James Kurose, which I found to be an excellent and comprehensive primer. As a PHP programmer you don't need to know much about network programming as everything relating to the TCP connections and HTTP protocol is handled by Apache/Nginx. However, if you want to dig into it, you'll want to experiment with "socket programming" in either Java, Ruby or Python.
And only after becoming routined in these subjects and understanding network layers, infrastructure and programming interfaces will you be able to understand how hackers can do their stuff and what you can do to stop it. But keep in mind, the job of securing the connections between servers is the job of a network admin, not a programmer. At best, your job is to make sure your software supports SSL connections if you don't trust the network.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.