[eluser]Comanche[/eluser]
Hi there,
I'm currently checking my current project for security against sql injection.
I use query bindings most of the time but I'm not sure if I understand the whole thing right.
For example I have the follwing code fragment:
Code:
$query = array( $data['name'],
$data['passwd'],
$data['kid']);
$sql = "UPDATE customers SET
name=?,
passwd=?
WHERE
kid=?";
$this->db->query($sql, $query);
All the data is passed via POST to the page and at this point I already checked the values, so I know for sure, that kid will be a positive integer.
My problem is the 'passwd'-field, since I want to allow all characters to make brute force attacks less efficient (makes about 95 possible characters per position, at least 6 characters per password -> 95^6 possible passwords). That means that I check 'passwd' for [:graph:] with preg_match.
But that means also that I can type any possible mysql command into the password field. So one could type
Quote:0 WHERE kid=%; #
which would result in this query
Code:
UPDATE customers SET name=xyz, passwd=0 WHERE kid=%; # WHERE kid=abc;
I'm wondering if query bindings really escape everything which means that the injection from above would result in
Code:
UPDATE customers SET name='xyz', passwd='0 WHERE kid=%; #' WHERE kid='abc';
Edit: Ok, this example isn't perfect since I don't allow whitespaces within the password. But the basic problem would remain the same for a password like
Quote:0;####
which would result in
Code:
UPDATE customers SET name=xyz, passwd=0;#### WHERE kid=abc;
I'm also wondering what happens to double and single quotes within the password.