Hi, I'm working on my first zikula module and I'd appreciate it if somebody can educate me on the best coding practice I should follow to prevent SQL injection. Reading codes of existing zikula modules I notice that when constructing SQL clauses the function DataUtil::formatForStore is often used to clean the user input which just addslashes to the user input. Is this sufficient, or is there sth I don't know about in zikula that addresses this issue? Many use bound parameters (the prepare statement) to prevent SQL injection, I'm guessing that's not what zikula uses, right?
Thanks
Watch
GitHub Core
Show your support for Zikula! Sign up at Github account and watch the Core project!
GitHub Modules
Forum Activity
- rgasch created topic »Using PageUtil::addVar() to load script code« 11:48 AM
- michiel responded to »password problem« 10:01 AM
- mazdev responded to »Hide "Register new account" and change template to 3 col« 07:50 AM
- mesteele101 created topic »Zikula 1.3.3 - Site Search 1.5.2 - Unable to turn off plug-ins« 07:48 AM
- mesteele101 responded to »ERR (3): E_USER_ERROR: Smarty error: [in pagesvar:pagesitem2en line XXX]…« 25. May
- mazdev responded to »Pages 2.5.0 and updating - Page not found« 25. May
- mesteele101 responded to »Zikula 1.3.3 - Selecting a category in Pages not working« 25. May
Zikula Blog
- Anatomy of Open Source Projects on Mar 07
- Continuous Review on Mar 01
- Not Invented Here on Feb 24
- How to Contribute Your Code at Github on Jan 13
- 10 Steps to Coding-Nirvana: Tips for Successful Module Writing on Nov 12
- Submitting Bug Report Tickets That Get Results on Aug 17
- Cozi Tricks #1: Syntax Highlighting on Aug 07
Login
good coding practice to prevent sql injection?
-
- Rank: Registered User
- Registered: May 31, 2009
- Last visit: Apr 14, 2010
- Posts: 35
Posted: Feb 17, 2010 - 07:29 PM
-
- Rank: Team Member
- Registered: Jan 19, 2003
- Last visit: Apr 06, 2010
- Posts: 442
Posted: Feb 17, 2010 - 07:40 PM
Right, for the moment one uses FormUtil::getPassedValue and DataUtil::formatForStore. Beginning with Zikula 1.3.0 there will be Doctrine included, so then prepare statements will become more frequently used, whereby Doctrine uses DQL instead of SQL.
--
Guite | ModuleStudio -
- Rank: Team Member
- Registered: Jan 05, 2003
- Last visit: May 28, 2010
- Posts: 776
Posted: Feb 17, 2010 - 07:43 PM
Hi,
if you use DBUtil (other than just passing manually constructed SQL to DBUtil::executeSQL()), the architecture will automatically prepare your input for safe storage using DataUtil::formatForStore. This is the first step in preventing SQL injection. Another good practice I use (where possible) is that when/where you retrieve numerical input from the user is to cast it to an int/float/etc to ensure that if the user entered a string, the string does not survive intact.
On the output side, you want to enable the SafeHTML output filter in your site config in order to prevent XSS code being included in your generated HTML.
Together, those 2 techniques should allow you to sleep safely at night.
Greetings
R
- Moderated by:
- Support
