- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: php-security/sql-injection
Language: PHP
Severity: Error
Category: Security
CWE: 89
This rule prohibits the construction of SQL queries from unsanitized input. This is crucial because it helps prevent SQL Injection attacks, a common and serious security vulnerability where an attacker can manipulate SQL queries to gain unauthorized access to a database or perform malicious actions.
In a SQL Injection attack, an attacker can insert malicious SQL code into input fields, which can then be executed by the database if the input is not properly sanitized. This can lead to data theft, data corruption, or even loss of control over the database.
To avoid this, it’s important to use prepared statements or parameterized queries, which can ensure that user input is always treated as literal data and not part of the SQL command. In PHP, you can use the prepare
and bind_param
functions of the mysqli
extension to create safe SQL queries. For example, instead of concatenating user input into the query string, you should use placeholders (like :username
and :password
in the example) and then bind the actual user input to these placeholders.
<?php
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE user = '" . $username . "' AND pass = '" . $password . "'";
$statement = $conn->query($query);
<?php
$username = $_POST['username'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE user = :username AND pass = :password";
$statement = $conn->prepare($query);
$statement->bind_param(":username", $username);
$statement->bind_param(":password", $password);
$statement->execute();
$statement->store_result();
|
|
For more information, please read the Code Analysis documentation
Identify code vulnerabilities directly in yourVS Code editor
Identify code vulnerabilities directly inJetBrains products