SQL Injection Protection

11/01/2016 02:41 IceyNachos#1
I am wanting to buy sql injection protection for my server add me
skype live:vexmega
11/01/2016 09:04 EEOI#2
You dont need to buy stuff like that.
SQL injection is a kind of website attack, if you have a website like the cms you are safe.
11/02/2016 07:51 Polish™#3
Quote:
Originally Posted by EEOI View Post
You dont need to buy stuff like that.
SQL injection is a kind of website attack, if you have a website like the cms you are safe.
Toxic's cms doesnt have sql injection o.O
11/02/2016 19:15 PizzaGuy#4
Make sure MySQL is listening on localhost which prevents outside connections. From there as long as your website is secure with a sanitization function to ensure input is clean w/ preferably the use of PDO, then you're safe.
11/03/2016 14:52 Ih˘săs123#5
Quote:
Originally Posted by PizzaGuy View Post
Make sure MySQL is listening on localhost which prevents outside connections. From there as long as your website is secure with a sanitization function to ensure input is clean w/ preferably the use of PDO, then you're safe.
Nope, its no problem to use a user with remote connection, you can insert, delete, update with a local user like a remote user... better way is to set permissions for users 4 tables.

Use mysqli to connect, pdo is simple too but with mysqli you can replace the mysql connect with this function 1:1.
Do a whitelist for inputs.
11/03/2016 17:18 Wizatek#6
PDO > mysqli
11/03/2016 21:53 PizzaGuy#7
Quote:
Originally Posted by Ih˘săs123 View Post
Nope, its no problem to use a user with remote connection, you can insert, delete, update with a local user like a remote user... better way is to set permissions for users 4 tables.

Use mysqli to connect, pdo is simple too but with mysqli you can replace the mysql connect with this function 1:1.
Do a whitelist for inputs.
The MySQL server doesn't establish a remotely connectable socket when it's bound to localhost. When that is done there is no communicating with MySQL other than locally. You cannot remote into MySQL and control it remotely when it's bound to localhost. So unless you have root access to the server or have abused the web server or web script, you'll never gain access to the database server. Which can be tough for management but it's bulletproof secure. I would also stick to PDO and binding.
11/07/2016 12:00 Ih˘săs123#8
Quote:
Originally Posted by wizatek View Post
PDO > mysqli
Named parameter, but mysqli is a little bit faster qqq.

I like speed, so PDO < mysqli for me.