Stored Programs and Code Injection
SQL injection is the name given to a particular form of security attack in applications that rely on dynamic SQL. With dynamic SQL, the SQL statement is constructed, parsed, and executed at runtime. If that statement is pieced together from one or more fragments of SQL syntax, a malicious user could inject unintended and unwanted code for execution within the dynamic SQL framework.
For an example of code injection , consider the PHP code shown in Example 18-12. This code requests a department ID from the user (line 7) and then builds up a SQL statement to retrieve the names of all employees in that department (lines 24-35).
See Chapter 13 for a detailed discussion of interfacing between PHP and MySQL.
1 <html> 2 <title>Employee Query</title> 3 <h1>Employee Query</h1> 4 5 <FORM ACTION="<?php echo $_SERVER['PHP_SELF']; ?>" METHOD=POST> 6 <p>Enter Department Id: 7 <input type="text" name="department" size="60"> 8 <input type="submit" name="submit" value="submit"><p> 9 </form> 10 11 <?php 12 require_once "HTML/Table.php"; 13 14 15 /*Check to see if user has hit submit*/ 16 if (IsSet ($_POST['submit'])) { 17 $dbh = new mysqli($hostname, $username, $password, $database); 18 19 /* check connection */ 20 if (mysqli_connect_errno( )) { 21 printf("Connect failed: %s\n", mysqli_connect_error( )); 22 exit ( ); 23 } 24 $sql="SELECT employee_id,surname,firstname FROM employees". 25 " WHERE department_id =".$_POST['department']; ...
Get MySQL Stored Procedure Programming now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.