We have moved our forum to GitHub Discussions. For questions about Phalcon v3/v4/v5 you can visit here and for Phalcon v6 here.
  1. Home
  2. MVC

How to solve SQL injections

Hi,

I am using Phalcon but not the ORM. I am sending my own queries to the database.

Few days ago I realized that when I call $this->get("name") from any controller, the String passed by the user is not sanitized, so I am potentially sending dangerous SQL code straight to the database.

My projetc is around a milling lines of code now and I cannot go though every single get() and add the second parameter. I need a way to overwrite the get() method from the bootstrap and sanitize all responses at once.

I have been trying this for few days without luck. Can you guys point me on the right direction, or help with a better solution?

Thank you!



3.4k
edited May '17


1.7k
in reply to elroliv

Thanks for your response. I am actually using the Phalcon framework to contact the DB, just not the ORM. In instance, I am using the following code to run a query:

$sql = "SELECT blah FROM blah"; $this->di->get('db')->query($sql);

The good part, this code is centralized inside a function that I call thouth all the system. Maybe I can sanitize here... Any ideas how?

hello, you can use PDO or something like this

https://php.net/manual/en/security.database.sql-injection.php

https://php.net/manual/en/pdo.prepared-statements.php

https://php.net/manual/en/mysqli.quickstart.prepared-statements.php



3.4k
edited May '17

try to adapt something like this

$resultset = $connection->query(
    "SELECT * FROM robots WHERE type = ?",
    [
        "mechanical",
    ]
);
$statement = $db->prepare(
    "SELECT * FROM robots WHERE name = :name"
);

$result = $connection->executePrepared(
    $statement,
    [
        "name" => "Voltron",
    ],
    [
        "name" => Column::BIND_PARAM_INT,
    ]
);
https://docs.phalcon.io/en/3.0.0/api/Phalcon_Db_Adapter_Pdo_Mysql.html


145.0k
edited May '17

Use binding.

Why not use ORM? You can build your own queries in phql too, and having oop is much nicer and cleaner.



137

It is a mechanism of getting secure data from database.

SQL Injection Attacks::

By providing proper validations for input fields. By using parameterised queries. By using stored procedures By using frequent code reviews We must not display database error messages in frontend SQL injection is a code injection technique, used to attack data-driven applications.



8.2k
in reply to Salvi Pascual

The good part, this code is centralized inside a function that I call thouth all the system. Maybe I can sanitize here... Any ideas how?

That is the whole construct of ORM Models, Your database constraints are contained within a singurlarity classes mapped to tables where all your manipulation methods would be stored. You are currently using an phalcon ORM to misuse it, You are doing no different to mysql_query() as phalcon ORM is only a wrapper around PDO.

I currently have a server control panel for my client in which the servers model is 600 lines and alot of methods all used many times over. If did raw sql queries across the 580k lines for the app, I wouldn't know what I was doing.



20.4k

I'm looking for a solution for this too when using mysql raw within Phalcon which I have to do with some of the more complicated queries and when using queries that use ORDER BY CASE etc. Is there a way of binding when using sql raw?