I'm working on a site where contents pages are handled with mod_rewrite and I'm trying to make the URL managed with mod_rewrite protected from SQL injections with some char restriction, because users can create pages contents like this:


My doubts come when they insert something like:


I need to insert ' char because I can have names like this for example of famous architects, but I don't know if I can keep data safe and how prevent SQL injections with this character.

Should I do something particular to prevent attacks?

I'm using PDO class in PHP like this:

$architect = strip_tags (trim ($_REQUEST["architect"]));

// pdo class etc..
$pdo_stmt->bindParam (":arch", $architect, PDO::PARAM_STR);
// and the other code here...

Users can't create pages with these chars: < > / \ * ? = should I ban ' and " too? Or should I permit only one of ' and " chars or can I use them together and keep server safe?


From a design perspective, you really want to be guarding against SQL injection as close to the database as possible instead of relying on other layers of your application--like your mod_rewrite rules--to provide that protection. Your use of bound parameters in PDO is highly recommended in this regard.

Written by Schwartzie

Accepted Answer

$stmt->bindParam (and bindValue, and in general, prepared statements) are safe against SQL injection. All serious SB frameworks support a way of adding parameters to a query, and values added that way are sanitized. You should always do that and never insert variables data coming from users (see comments) manually into an SQL query string.

That still leaves the question of XSS injections, which are easier to miss (though also less dangerous); to avoid them, make sure you always use htmlspecialchars($var,ENT_QUOTES) (or urlencode, depending on the context).

Written by Tgr
This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki