How to solve SQL injections

Hi,

I am using Phalcon but not the ORM. I am sending my own queries to the database.

Few days ago I realized that when I call $this->get("name") from any controller, the String passed by the user is not sanitized, so I am potentially sending dangerous SQL code straight to the database.

My projetc is around a milling lines of code now and I cannot go though every single get() and add the second parameter. I need a way to overwrite the get() method from the bootstrap and sanitize all responses at once.

I have been trying this for few days without luck. Can you guys point me on the right direction, or help with a better solution?

Thank you!

Thanks for your response. I am actually using the Phalcon framework to contact the DB, just not the ORM. In instance, I am using the following code to run a query:

$sql = "SELECT blah FROM blah"; $this->di->get('db')->query($sql);

The good part, this code is centralized inside a function that I call thouth all the system. Maybe I can sanitize here... Any ideas how?

hello, you can use PDO or something like this

http://php.net/manual/en/security.database.sql-injection.php

http://php.net/manual/en/pdo.prepared-statements.php

http://php.net/manual/en/mysqli.quickstart.prepared-statements.php



2.1k
edited May '17

try to adapt something like this

$resultset = $connection->query(
    "SELECT * FROM robots WHERE type = ?",
    [
        "mechanical",
    ]
);
$statement = $db->prepare(
    "SELECT * FROM robots WHERE name = :name"
);

$result = $connection->executePrepared(
    $statement,
    [
        "name" => "Voltron",
    ],
    [
        "name" => Column::BIND_PARAM_INT,
    ]
);
https://docs.phalconphp.com/en/3.0.0/api/Phalcon_Db_Adapter_Pdo_Mysql.html
edited May '17

Use binding.

Why not use ORM? You can build your own queries in phql too, and having oop is much nicer and cleaner.