To add on to what Jens mentions, with PHP, you can at least sanitize the
$NewID by using (integer)$NewID.  Any string or non integer that is
assigned to $NewID will get converted to the integer value zero.  From my
experience, typically IDs aren't stored as zero, but I've not looked at
EVERY database out there, so there could still be consequences.  Just know
your data.

With strings, you can use mysql_real_escape (Or something of the sort --
Been a few months since I've dealt with PHP/MySQL directly) which will
convert any string into a SQL safe string.  There are additional things you
can do to sanitize what you're inputting, but it'd depend on what codepage
you're putting the data in as, and where you're getting the data from.  I
only have ever dealt with ASCII, sanitize as ASCII, and strip out any other
character that doesn't fit between #01 and #FF.  Unicode is not in my
vocabulary, since I don't write in any other spoken language that doesn't
fit within 8-bits.

There is also binding you can do, as Jens mentions.  I've infrequently done
this as I've written routines that do the sanitizing for me, so I don't
need to think about it, and its a PDO thing.

On Tue, Aug 8, 2017 at 12:58 PM, Jens Alfke <> wrote:

> > On Aug 5, 2017, at 6:48 AM, Edmondo Borasio <>
> wrote:
> >
> > *$query1="INSERT INTO Table"."(ID,name,surname)"."VALUES(\' ' . $NewID .
> > '\','newName','newSurname');"; *
> It’s a very, very bad idea to insert variable strings directly into a SQL
> query like this. If the content of those strings is unknown or untrusted
> data (as it usually is), it leaves you wide open to SQL Injection Attacks,
> which give an attacker full access to your database. This is probably the
> single most common form of attack against web applications.
> Your PHP SQLite API includes facilities for safely plugging variables into
> the query, similar to printf. You put a placeholder like “?” into the SQL
> string and then pass the actual value as a separate parameter to the PHP
> function. That’s the right way to do it. (As a bonus, it lets you
> precompile the query and reuse it, which speeds up your code.)
> —Jens
> _______________________________________________
> sqlite-users mailing list
sqlite-users mailing list

Reply via email to