Reputation: 654
Preventing SQL injection when connecting to the database
Is it necessary to validate user input when initially connecting to a mySQL database? Consider the following example in PHP where the initial connection to the database is being made based on user input to a form (for example, through a form that allows the administrator to change the database credentials that are stored in a file on the server):
$mysqli = new PDO('mssqli:host=' . $_REQUEST['host'] . ';dbname=' . $_REQUEST['db'] . ', $_REQUEST['username'], $_REQUEST['password']);
Is there a need to validate the $_REQUEST variable, i.e. could an SQL injection take place here? If so, is there a way to parameterize this command? Thanks for your help. Regards
Upvotes: 0
Views: 87
Answers (1)
Reputation: 157890
Is there a need to validate the $_REQUEST variable
At least it would be a good idea.
could an SQL injection take place here?
the only sane case for such a code is when a user is a database owner too. So, he scarcely would inject into a database he is already allowed in. Also, there is no SQL to inject, to be strict.
If so, is there a way to parameterize this command?
No
Upvotes: 1
Related Questions
- How can I prevent SQL injection in PHP?
- How do I prevent sql injection with php and mysql
- How to properly use mysqli to query and prevent injection
- Short Solution for SQL Injection Attacks with MySQLI
- Secured Mysqli Statement to avoid SQL Injection but the form sends only blank Info
- SQL injection protection action
- Validation and Detection of SQL Injections in PHP
- Mysqli prepared statement (SQL injection prevention)
- PHP and MySQL Injection Prevention
- Preventing SQL injection using ONLY php