|Best Package to Address SQL Injection...
|Request new recommendation
by E. Anderson - 8 years ago (2015-08-28)
Looking for easiest most direct method to upgrade MySQL 5.5 code throughout application that has several 100 MySQL queries. Glad to upgrade to 5.6 if advised. Thanks very much.
Why don't use my DPManager. With class you can execute querys from arrays, getting results like a object, array, string or json-string. If you think chance between mysql, mssql, Oracle. Is compatible with ADODB múltiples drivers
This package will help you to sanitize (validate/clean) your inputs, this is the 50% of the problem, to solve the other half you might need to check and maybe re-write them in order to use prepare statements.
Hope this helps.
If you have SQL injection vulnerabilities in your code, there is no class that can remove them.
The matter is on the way you compose your SQL queries. If you just concatenate values for text literal values in your query, for instance submitted by the user via forms, and do not escape them properly, your application is vulnerable.
You need either to escape your literal values coming from insecure sources ($_POST, $_GET, etc..) or you can use prepared queries to tell the database what types of values are expected.
When you use prepared queries, if you pass a value of incorrect type, it will result in an error but your application will not be vulnerable.
This class is a wrapper around the MySQLi extension that makes it easier to execute prepared queries with parameter values.