How to sanitize user-submitted mysql queries

StackOverflow https://stackoverflow.com/questions/16410732

  •  14-04-2022
  •  | 
  •  

Frage

I have never asked a question before because I tend to always find what I need either here or in nixcraft.

I was hoping for a little guidance regarding an application that will be consumed only by technical people within my organization. They need to be able to query the database, but because of the sensitive nature of the information we do not want them to be able to export a data dump. I'm sure there are other risks to watch out for, but am really not sure what these risks may be. The only sanitizing I can think of would be to check for sql syntax issues, and to prevent any kind of statement that would produce a data dump.

The script will be written in PHP without any kind of external library. Database permissions will be limited to SELECT, so there will be no updating, inserting, dropping, etc... We will not be able to take advantage of PDO prepared statements because our users will be entering the entire SQL query from start to finish.

Any thoughts you may have would be greatly appreciated.

War es hilfreich?

Lösung

If you are allowing users to enter entire queries just to SELECT, don't. This would be a security nightmare.

Instead, use PDO's prepares and allow users to do advanced searching; to do otherwise would require an AI's level of sanitizing, and if you were doing that, you wouldn't be asking this question.

Instead, ask yourself what logic you need for record searching. Do you need to search multiple fields? If you need joins, you can implicitly (and automatically) join the tables together when you fetch records.
You can also use parameters for LIMIT, pagination, and all manner of things in a form

The basic point is this: if a user can write an SQL query, you might as well just give them a login to your SQL console and ignore all sanitizing. Sanitizing input when a user is writing their own query would be rather strange, and could result in the query not even running.

Andere Tipps

You can limit the fields that your queries will use as user-provided data and run them through mysqli_real_escape_string first.

This assumes that you're exposing only a form with the fields that you want them to search on and not something that allows them to enter a full query.

HTH

Lizenziert unter: CC-BY-SA mit Zuschreibung
Nicht verbunden mit StackOverflow
scroll top