How to Prevent SQL Injection and Other Attacks

[gorgebutler]

SQL Injection is a common security issue that allows attackers to manipulate database queries by injecting malicious SQL code. To prevent this, always use prepared statements and parameterized queries instead of directly inserting user inputs into SQL queries.

Example of Vulnerable Code (Unsafe)

Code: Select all

$userid = $_GET['id'];
$query = "SELECT * FROM users WHERE id = '$userid'";  
$result = mysqli_query($conn, $query);

The above code is unsafe because an attacker can enter ' OR '1'='1 and retrieve all users' data.

Safe Code Using Prepared Statements (PHP & MySQLi)

Code: Select all

$stmt = $conn->prepare("SELECT * FROM users WHERE id = ?");
$stmt->bind_param("i", $userid);
$stmt->execute();
$result = $stmt->get_result();

This method prevents SQL injection by ensuring that inputs are treated as values, not part of the SQL command.

Other security measures include:

Input Validation: Restrict input types to only expected values.
Escaping User Inputs: Use functions like mysqli_real_escape_string().
Least Privilege Principle: Limit database user permissions.
Use Web Application Firewalls: Prevent automated attacks.
By following these best practices, you can protect your application from SQL injection and other security threats

[richmond62]

Is this relevant to LiveCode?

[bogs]

I suspect the OP is a bot for several reasons, however, to answer your question Richmond, the above *is* relevant since you can craft and interact with SQL dbs using sql statements directly in LC, bypassing LC's own db statements. If you are doing so, it is helpful to know and understand not only what injection attacks are, but how to avoid including injection attack vectors in your code.

Having said that, though, and despite suspecting the OP as stated above, the (very) basic overview given is correct as far as quickly skimming it suggests.