SQL Injection Protection – Why Isn’t It a High Priority?

MySQLPHP

On Stack Overflow, I see a lot of PHP code in questions and answers that have MySQL queries that are highly vulnerable to SQL injection attacks, despite basic workarounds being widely available for more than a decade.

Is there a reason why these types of code snippets are still in use today?

Best Answer

I think it's mostly due to a) ignorance b) laziness. Beginners usually don't know much about sql injection, and even when they hear about it, they ignore it because it's so much simpler and easier to code that way.

Related Solutions

PHP SQL MySQL – Why Put SQL Statement in a Variable Before Using mysql_query()?

There are a few reasons to do that:

Readability: it may not apply with a simple mysql_query("SELECT…"); (by the way, aren't you expected to use PDO? It's not year 1998!). But you see the usefulness of this when it comes to multiline arguments. When you have several of these, things become even harder to read.
Refactoring: it's really minor, but may apply as well. Imagine you will get the query from a config file instead of hardcoding it. It would probably be easier/more readable to have a variable defined first, then used as an argument.
Debugging: imagine the query is generated (the thing you must never done, but well, it's another subject). If you want to set the breakpoint after the query is generated but before the query is done, it would be possible to do only if the query is actually assigned to a variable.
Tracing: this may be a temporary code, and the author may know that he will add tracing of a query later.

In other words:

$sql = "SELECT …";
mysql_query($sql);

will become:

$sql = "SELECT …";
$this->trace(123, TRACE_INFORMATION, 'Running the query ' . $sql . '.');
mysql_query($sql);

PHP – Dynamic Class Inheritance Techniques

It looks like you are having a design issue here: Tables should not extend the Database Abstraction Layer. Instead the DAL should be injected into the table as a dependency.

abstract class Table {
    protected $dal;

    public function __construct(DAL $dal) {
        $this->dal = $dal;
    }

    // whatever else all tables have in common
}

class Table_User extends Table {
    public function someMethod() {
        $this->dal->someOtherMethod();
    }
}

$table = new MyTable($dal);
$table->someMethod();

That way you will create a DAL at some upper scope and pass it down. This will also allow you to use multiple different database engines at the same time.

Additionally you obviously should not create your tables directly in your controller but let a specialized class do that. For example you could use a factory:

class TableFactory {
    protected $dal;

    public function __construct(DAL $dal) {
        $this->dal = $dal;
    }

    public function createTable($name) {
        $className = 'Table_' . $name;
        return new $className($this->dal);
    }
}

That way you can create a table factory at some point with an injected DAL and pass that table factory around.

$table = $factory->createTable('User');

Best Answer

Related Solutions

PHP SQL MySQL – Why Put SQL Statement in a Variable Before Using mysql_query()?

PHP – Dynamic Class Inheritance Techniques

Related Topic