A
Anonymous
Guest
Hi,
Generally, prepare functions allow you to pass in parameter values without building up strings of SQL. It is these strings that can cause problems. For example imagine this (abbreviated) code which is meant to return a row if the user is registered, and no row if the user is not registered:
For the input 'user1', 'my-password', the code will return a row if user1 is registered and the password is correct. However, a malicious user could enter the values below and the code will also work and return a random user id (maybe the first user id in the database - probably the admin user!):
-A
Yes, sqlsrv_prepare.Does a similar precaution need to be taken when querying SQL Server with the PHP sqlsrv functions at http://php.net/manual/en/ref.sqlsrv.php?
Generally, prepare functions allow you to pass in parameter values without building up strings of SQL. It is these strings that can cause problems. For example imagine this (abbreviated) code which is meant to return a row if the user is registered, and no row if the user is not registered:
Code:
$sEmail = $_GET['email']; // Get user input
$sPass = $_GET['pass'];
$sSql = "select user_id from users where email = '$sEmail' and pass = '$sPass' ";
//if row exists then user is registered
Code:
// Bad user enters this value email and password address: (Note the carefully placed single quotes)
' or '1' = '1
// this produces a sql statement that looks like this:
select user_id from users where email = '' or '1' = '1' and pass = '' or '1' = '1' // returns all rows in table
-A