Preventing SQL Injection


#1

I’ve recently come across the SQL code injection technique on https://www.w3schools.com/sql/sql_injection.asp , and have been subsequently searching for a more comprehensive website to learn how to protect my server against this technique.

My problem is that most websites refer to using PHP (Hypertext Preprocessor) Language when protecting against SQL injection.

Therefore my question is, do I need to learn PHP before I can protect against SQL Injection, or is it enough to just use SQL Parameters for Protection?

EDIT: If you’ve stumbled upon this trying to prevent SQL injection using PHP, then thought I might add this web link to a website that has taught me how to do so:


#2

Generally just don’t execute code that you got from the user, that’s only common sense, same as with most security.


#3

I don’t think it’s as simple as not executing code from the user, for example take a user log in. The user has to input values in order to gain access, and I myself have to grant access to users with valid credentials.


#4

That’s what SQL injection is. The user writes a value, what they write gets included in the query, and the whole thing gets executed, including what the user wrote. Bad separation between data and code.

The user input might be supposed to go between quotes, but if the user includes a quote, then they broke out of their string, and the rest of that user input is now treated as code.


#5

Similarly, a program might let you store data, but not run commands. But if you find a way to get the program to execute in the memory location where the data is (typically by exceeding some limit a programmer thought was high enough but isn’t enforcing), then you can run commands anyway.
Or, a forum, like this one, lets users post content, they could include javascript which makes posts for you, uploads your pm’s etc – if user-posted content was treated as code instead of data.
Someone I wrote a bot with wanted to convert text to integers, so they executed the text – it was possible to control the bot’s computer by chatting.