2

I have been doing a bit of research on SQL injections and so far all I can see is when you are concatenating query strings with variables, you have problems.

My question(s) is/are:

If I have this code:

$query  = "SELECT id, name, inserted, size FROM products";
$result = odbc_exec($conn, $query);

Am I subject to sql injection? I didn't think so but I found a post on stackoverflow that indicated that it was.

Now if I have this code:

$variable = "name";
$query = "SELECT"' .$variable. ' FROM products";
$reulst = odbc_exec($conn, $query);

Am I still stubject to injection? It seems to me that I have full control of that variable and the code is run on the server side so that would be safe. Is this correct?

Thanks in advance for any input!

Improve this question
2
  • 2
    No. If a query doesn't contain any user-provided data, then it cannot be injected. Your second version IS vulnerable to injection, but only if the data YOU'VE provided contains vulnerable data. But it's not user-provided data, so it's "most likely" safe. Commented Aug 19, 2011 at 15:19
  • 1
    Note that instead of $query = "SELECT"' .$variable. ' FROM products"; you can also use this syntax: $query = "SELECT '$variable' FROM products"; Commented Aug 19, 2011 at 15:23

7 Answers 7

Reset to default
6

SQL injection is usually a problem if you have input from a source you can't trust. Seeing as this is the case in neither of your examples, you're fine as far as malicious attacks go.

However, it is good practice to escape $variable before inserting it into the query string even if you control it.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

confirmed what I was leaning towards. Thanks!
2

You are prone to sql injection if you allow any user input into your queries at all. With the two examples provided, nothing is being input from the user, so these are both safe.

Improve this answer

Comments

2

The first query is not subject to injection as there are no dynamic parts to it.

The second is. Even if you think you have full control over your variable, if you are using user supplied data (whether coming from form sumbit, cookies etc...), you can be vulnerable.

Always use parameterized queries through a SQL library that will ensure data is safely escaped.

Improve this answer

Comments

1

The only case when a query can get exposed is when parts of it are passed from input.

$variable = $_GET["name"];
$query = "SELECT " .$variable. " FROM products";  // now things can get bad
$reulst = odbc_exec($conn, $query);

One correct way of using input variables inside a query would be to escape them:

$variable = addslashes($_GET["name"]); // sanitizing input
$query = "SELECT " .$variable. " FROM products";  // all good here
$reulst = odbc_exec($conn, $query);
Improve this answer

Comments

0

The issue is "where do the values of your variables come from?" If you are using user-submitted data in a query, then you need to be careful how you use it. In your case, you're safe as far as I can tell.

Improve this answer

1 Comment

Sorry for the duplicate answer. We all hit "Submit" at about the same time. :-)
0

For the first example, no, you won't be subject to any SQL injection because there is nothing a user could input to change your query.

In the second case, you're only subject to injection if $variable is derived from some user input.

Improve this answer

Comments

0

Any time you take user input straight into your $query you are susceptible to sql injection. The first code you show is fine, its a straight query, there is no way for the user to input any harmful code. 

$query  = "SELECT id, name, inserted, size FROM products";
$result = odbc_exec($conn, $query);

But the second code snippet (if $variable is taken from a form ) anyone could enter in harmful code and kill your database.

$variable = $_POST['name']; **for instance, this would be bad!
$query = "SELECT"' .$variable. ' FROM products";
$reulst = odbc_exec($conn, $query);

How does $variable get its value?

Improve this answer

1 Comment

wow, i started typing and when i was done there were 7 answers! you guys are fast!!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.