Home/ Questions/Q 9000085
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T00:15:57+00:00

I am using a database someone else produced (and I am not really authorised

  • 0

I am using a database someone else produced (and I am not really authorised to change it). However, as I was looking into the stored procedures within the database I noticed the following procedure:

DELIMITER $$

CREATE PROCEDURE `logIn`(userName varChar(50), userPass varChar(50))
BEGIN
  declare userID int;

  SELECT 
    u.userID INTO userID 
  FROM
    users u
  WHERE
    u.userName=userName 
    AND u.userPassword=MD5(userPass);

  IF (IFNULL(uID,-1) > 0) THEN
    select 1 as outMsg;
  ELSE
    select 0 as outMsg;
  END IF;
END$$

with the corresponding table users having three columns: userID INT, userName VARCHAR(50) and userPassword VARCHAR(50).

As I am not very good at this, could someone let me know whether the input for such a function needs to be sanitised as to not allow any SQL injections and if not – why? A general rule of thumb would be very much appreciated.

P.S. This function will be called from a JS script on a form submit.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    There are a few rules of thumb here that depend on the underlying datatype and how it’s inserted into the database.

    First, Parameterized queries are always best for SQL Injection protection.. but.. if you can’t change that..

    String type:

    1. Remove any single quotes
      OR
      Replace any single quotes with the single quote twice.

    2. Replace any of the following characters with their encoded alternative;

      • >
      • <
      • ;
      • (chr 34)
      • )
      • (

      • For example.. ) is replaced with & #x29;

        -(the space in the above example is so you’ll see the code, remove it to get “)”)

    For a datatype other then string, check that the datatype is sane and remove any character that shouldn’t be in the datatype. If it’s an integer, make sure the string that you’re passing in is an integer. This can commonly be done by casting to the type in code. The cast will either work.. or cause an error. It’s also good to check that the datatype min and maxes have not been exceeded. For example.. If I was checking for an integer, I might use code similar to this:

    var myInt = parseInt(param);

    Then I might check it’s bounds to be sure it’s less then the maximum integer value and greater then the minimum integer value.

    That should be good enough to prevent a SQL Injection attack…

    And.. since you have not posted the code that actually interfaces with the database… As an added precaution.. you may also want to remove –,`,%,”,”, “”.

    You only want ‘sane’ values getting to the database call.. so an integer like, $309 wouldn’t make sense, you’d want to remove the $.. . probably by using a regex replace for any non numeric characters a comma and a period.
    [^[0-9,.]]

    Be extra cautious.

    • 0