Coding With Fun
Home Docker Django Node.js Articles Python pip guide FAQ Policy

MariaDB SQL Injection Protection

May 16, 2021 MariaDB

The simple act of accepting user input opens the door to utilization. T he problem comes mainly from logical management of data, but fortunately, it is easy to avoid these major flaws.

Sql injection opportunities typically occur on users who enter data such as names, and code logic cannot analyze that input. I nstead, the code allows an attacker to insert a MariaDB statement that will run on the database.

Always consider user-entered data, suspicious, and requires robust validation before any processing. T his validation is performed through pattern matching. F or example, if the desired input is a user name, limit the characters you enter to alphanumeric characters and underscores, and limit them to a certain length. S ee the example given below - 

if(check_match("/^w{8,20}$/", $_GET['user_name'], $matches)) {
   $result = mysql_query("SELECT * FROM system_users WHERE user_name = $matches[0]");
} else {
   echo "Invalid username";
}

In addition, reGEXP operators and LIKE clauses are used when creating input constraints.

Consider all types of necessary explicit control inputs, such as -

  • Control the escape characters used.

  • Control specific appropriate data types for input. L imit input to the required data type and size.

  • Controls the syntax of the input data. D o not allow anything other than any mode.

  • Control the terms allowed. B lacklist SQL keywords.

You may not know the dangers of injection attacks, or you may think they are un important, but they are a list of security issues. A lso, consider the effect of these two entries - 

1=1
-or-
*

Allowing any code entered with the correct command can cause all user data on the database to be revealed or all data on the database to be deleted, and neither injection is particularly smart. I n some cases, the attacker does not even take the time to examine the hole; T hey perform blind attacks with simple input.

Also, consider pattern matching and regular expression tools provided by any programming/scripting language that works with MariaDB, which provide more control and sometimes better control.


Related

MariaDB SQL Injection Protection

MariaDB 10.1.26 released, full update announcement: MySQL branch version

MariaDB discussion

MariaDB installation

What's the difference between json and json _ value in mariadb?

MariaDB deletes the database

MariaDB manages duplication

MariaDB regular expression

How to upgrade from mariadb 5.5 to mariadb 10.4?

MariaDB creates the database