SQL Injection Protection
Posted: Fri Oct 12, 2007 2:22 am
Since there is no topic on SQL Injection, I thought I would start one.
SQL Injection attacks occur when a user enters something malicious into an input field in a form to take control over a SQL statement. The field usually has special characters like single quote, slashes and SQL commands.
In OpenCart, I do not see any protection against SQL injection attacks in the database abstraction layer (/library /database /database.php). I think this is a very important issue to address - especially when it comes to e-commerce applications like OpenCart.
I did some internet searching and found that these attacks can be protected against by using a built-in PHP function like mysql_real_escape_string() or PDO's prepared statement or a third party database abstraction layer (DAL). Since OpenCart is PHP 5 (OOP), then I recommend taking advantage of the open source DAL's of PEAR:MDB2 or ADOdb. Here are some links:
mysql_real_escape_string() - http://www.php.net/manual/en/function.m ... string.php
PDO's prepared statements - http://php.net/pdo-prepare
PEAR:MDB2 - http://pear.php.net/package/MDB2/
ADOdb (Fast and open source !) - http://adodb.sourceforge.net/
These solutions will give a performance decrease, but at least the system is protected.
Also, I have done some snooping inside the Drupal (http://api.drupal.org) code and found that they use preg_replace_callback() . Drupal uses their own DAL... maybe it would be a good idea to get ideas from their code. The two files in Drupal to look at are: /includes/database.inc and /includes/database.mysql.inc
I hope this is good discussion for everyone.
SQL Injection attacks occur when a user enters something malicious into an input field in a form to take control over a SQL statement. The field usually has special characters like single quote, slashes and SQL commands.
In OpenCart, I do not see any protection against SQL injection attacks in the database abstraction layer (/library /database /database.php). I think this is a very important issue to address - especially when it comes to e-commerce applications like OpenCart.
I did some internet searching and found that these attacks can be protected against by using a built-in PHP function like mysql_real_escape_string() or PDO's prepared statement or a third party database abstraction layer (DAL). Since OpenCart is PHP 5 (OOP), then I recommend taking advantage of the open source DAL's of PEAR:MDB2 or ADOdb. Here are some links:
mysql_real_escape_string() - http://www.php.net/manual/en/function.m ... string.php
PDO's prepared statements - http://php.net/pdo-prepare
PEAR:MDB2 - http://pear.php.net/package/MDB2/
ADOdb (Fast and open source !) - http://adodb.sourceforge.net/
These solutions will give a performance decrease, but at least the system is protected.
Also, I have done some snooping inside the Drupal (http://api.drupal.org) code and found that they use preg_replace_callback() . Drupal uses their own DAL... maybe it would be a good idea to get ideas from their code. The two files in Drupal to look at are: /includes/database.inc and /includes/database.mysql.inc
I hope this is good discussion for everyone.