Jump to content

Security - SQL Injections


Harmster
 Share

Recommended Posts

Hey,

My company asked me how Processwire handles SQL Injections, i was quite sure this was done somewhere but after some scanning through the code and the documentation. I noticed I couldn't really find an answer to the question. Because security is a big issue I would like to ask where and how processwire handles SQL injections?

Big thanks!

Greetings,

Harm.

  • Like 1
Link to comment
Share on other sites

PW gives you the tools to prevent it, but it won't prevent it for you. Make sure you sanitize all user input http://processwire.c...bles/sanitizer/

Aww, that sucks. I worked with CakePHP framework before and I am used to the automatic prevention from frameworks so it kind of does suck that I have to do it manually. Are there any plans to build this, requirement for webdevelopment, prevention in the query engine?

Link to comment
Share on other sites

My company asked me how Processwire handles SQL Injections, i was quite sure this was done somewhere but after some scanning through the code and the documentation. I noticed I couldn't really find an answer to the question. Because security is a big issue I would like to ask where and how processwire handles SQL injections?

ProcessWire's API doesn't use SQL queries -- it uses selectors. SQL injection is a non-issue in ProcessWire.

ProcessWire does not get involved with database abstraction layers, so if you are executing SQL queries then you are using PHP and MySQL (mysqli). You can always add your own database abstraction layers to do whatever you want. But typical usage of ProcessWire for developing a site does not involve SQL. If you are using SQL for something and you want to stick with the DB driver PW is using (PHP's mysqli) then you eliminate SQL injection by either using prepared statements or escaping your strings before putting them in a query. Use it the way you are supposed to and SQL injection is a non issue.

Is it possible your company was asking about the security of the software itself? ProcessWire's own queries are well protected against SQL injection, of course. SQL injection is a problem of bad code. If one uses the database driver in the way it is supposed to be used, then you are never subject to SQL injection.

Btw, I don't know about what CakePHP is doing, but the whole idea of trying to protect the user from SQL injection (outside of the DB driver) sounds like a security problem in and of itself. We've seen this with PHP's magic quotes, which was meant to protect the user from SQL injection. Anything that tries to protect you from yourself ultimately encourages bad programming practices by making security a grey area. That fosters an environment where many think they don't have to sanitize and validate input, which becomes an even bigger security problem.

  • Like 9
Link to comment
Share on other sites

PW gives you the tools to prevent it, but it won't prevent it for you. Make sure you sanitize all user input http://processwire.c...bles/sanitizer/

None of PW's sanitization/validation functions have to do with SQL injection, since PW's API doesn't involve SQL queries.

Eliminating SQL injection is just a matter of using the DB driver (mysqli) the way the manual says to. Specifically, using prepared statements or escaping strings. Using prepared statements is preferable in general, but my personal preference is escape my own strings.

Link to comment
Share on other sites

ProcessWire's API doesn't use SQL queries -- it uses selectors. SQL injection is a non-issue in ProcessWire.

ProcessWire does not get involved with database abstraction layers, so if you are executing SQL queries then you are using PHP and MySQL (mysqli). You can always add your own database abstraction layers to do whatever you want. But typical usage of ProcessWire for developing a site does not involve SQL. If you are using SQL for something and you want to stick with the DB driver PW is using (PHP's mysqli) then you eliminate SQL injection by either using prepared statements or escaping your strings before putting them in a query. Use it the way you are supposed to and SQL injection is a non issue.

Is it possible your company was asking about the security of the software itself? ProcessWire's own queries are well protected against SQL injection, of course. SQL injection is a problem of bad code. If one uses the database driver in the way it is supposed to be used, then you are never subject to SQL injection.

Btw, I don't know about what CakePHP is doing, but the whole idea of trying to protect the user from SQL injection (outside of the DB driver) sounds like a security problem in and of itself. We've seen this with PHP's magic quotes, which was meant to protect the user from SQL injection. Anything that tries to protect you from yourself ultimately encourages bad programming practices by making security a grey area. That fosters an environment where many think they don't have to sanitize and validate input, which becomes an even bigger security problem.

Thank you for your time and your clear answer :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...