Prevent SQL queries built from unsanitized input

문서 > 코드 분석 > Static Analysis Rules > Prevent SQL queries built from unsanitized input

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: php-security/sql-injection

Language: PHP

Severity: Error

Category: Security

CWE: 89

Description

This rule prohibits the construction of SQL queries from unsanitized input. This is crucial because it helps prevent SQL Injection attacks, a common and serious security vulnerability where an attacker can manipulate SQL queries to gain unauthorized access to a database or perform malicious actions.

In a SQL Injection attack, an attacker can insert malicious SQL code into input fields, which can then be executed by the database if the input is not properly sanitized. This can lead to data theft, data corruption, or even loss of control over the database.

To avoid this, it’s important to use prepared statements or parameterized queries, which can ensure that user input is always treated as literal data and not part of the SQL command. In PHP, you can use the prepare and bind_param functions of the mysqli extension to create safe SQL queries. For example, instead of concatenating user input into the query string, you should use placeholders (like :username and :password in the example) and then bind the actual user input to these placeholders.

Non-Compliant Code Examples

<?php
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE user = '" . $username . "' AND pass = '" . $password . "'";
$statement = $conn->query($query);

Compliant Code Examples

<?php
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE user = :username AND pass = :password";

$statement = $conn->prepare($query);
$statement->bind_param(":username", $username);
$statement->bind_param(":password", $password);
$statement->execute();
$statement->store_result();