3

I've been looking into the most efficient method of cleaning user input. My application is a simple post request that is used to authenticate a user. Looking online I can find more then a dozen different "best" methods of doing this. A lot of these methods use deprecated php functions or seem overly complicated. In order to connect to my sql database I use the PDO class.

While searching for my own functions I stumbled accross this:

Prepared statements with bound parameters are not only more portable, more convenient, immune to SQL injection, but are often much faster to execute than interpolated queries, as both the server and client side can cache a compiled form of the query.

I already use the prepare method to create my statement. Does this mean I'm safe against SQL injection attacks? What else should I be worried about?

Improve this question

2 Answers 2

Reset to default
2

If you bind ALL user data via prepared statements with PDO you should be safe from injection. Any variables you put into your SQL statement (like sort order) that you do not bind, is an open vector for attack.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

@Ray already answered the first part of the question. For the second part, since you're authenticating your users you should also be worried about how you store their passwords, use some one-way cryptographic hash for that with a salt. And check if calculating the hash again from the user-entered password using the original salt matches the database entry. If possible use https for the authentication step as well.

Improve this answer

2 Comments

Thanks xception. Currently I'm using a non-uniform salted hash. After calculating the hash, I append the salt to it and store it in a db. When users authenticate I grab the salt from the db and use it in conjunction with the provided password in order to calculate the authentication hash. I also slow down the hashing function in order to discourage brute-force attacks.
You could limit the failed authentication attempts in a period of time instead, 10 failed authentication attempts in half an hour is enough for any human being and will seriously impede any brute-forcing attempts. Spor la treaba :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.