Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace MySQL queries with prepared statements or stored procedures #1

Open
bentsherman opened this issue Jan 23, 2017 · 0 comments
Open

Replace MySQL queries with prepared statements or stored procedures #1

bentsherman opened this issue Jan 23, 2017 · 0 comments
Labels
server

Comments

@bentsherman
Copy link
Member

Our PHP scripts currently use MySQL by string concatenation, which makes the scripts potentially vulnerable to SQL injection attacks. I've tried to make sure that POST data is sanitized in all of the PHP scripts (see escape_json() in connect.php) but any place I missed is a vulnerability. Therefore, the alternative is to use prepared statements or stored procedures instead. Both techniques are features of MySQL and they have their own trade-offs, but at some point it may be worth considering this issue.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
server
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bentsherman