Sample Header Ad - 728x90

Is this sql code susceptible to SQL injection?

0 votes
1 answer
86 views
mysql mariadb sql-injection
I have a MariaDb/PHP application used for searching biological names (Latin/Swedish) from a large scientific database. The only user textual input is to provide a (partial) name in a textfield, read by PHP and inserted in a SQL query (abbreviated): Select ... from Database.table x WHERE Condition AND MATCH (x.scientific_name) AGAINST ('"full name"' IN BOOLEAN MODE) ; or Select ... from Database.table x WHERE Condition AND x.scientific_name LIKE '%partial_name%' AND !isnull(x.scientific_name ; These queries return 0 or more results from the database.table, defined by: scientific_name varchar(255) I am presently not using parameterized queries (do I have to?) (MariaDb ver. 11.6.2, PHP ver. 8.2, Debian 12 server with Apache2) EDIT: PHP code: ``` //User input: //returns srcfield to a PHP var => $safein1 via js: function fonblur1() { var x = document.getElementById("srcfield"); ... } //A large amount of various non-text input is used to build the dynamic SQL, e.g: search exact/whole name //Dynamic SQL (untranslated code): $sqlsrc = "SELECT f.TaxonId,f.Taxonkategori,f.Vetenskapligt_namn0, f.URL_till_taxoninformation AS URL_till_taxoninformation, d.Familj AS Familj, d.Slakte AS Slakte, d.TaxonId AS TaxonId2, t.taxid, 1 AS accept , 'nosyn' AS syn concat(d.Rike,' -› ', d.Fylum,' -› ',IFNULL(d.Klass, '~')) AS grupp, FROM namndata.ftextsrc f JOIN namndata.taxonid0 t using (Taxonkategori) JOIN namndata.taxon0_T d USING (TaxonId) WHERE f.Vetenskapligt_namn0 LIKE '%" . $safein1 . "%' " . " AND d.TaxonStatus='Accepterat' AND d.".$roww2['Taxonkategori'] ." = '".$roww2['Vetenskapligt_namn']."' " . $TxIdf . " order by grupp, d.radnr, f.Vetenskapligt_namn0 LIMIT 0,2500;"; // Actual code, sent to MariaDb: SELECT f.TaxonId,f.Taxonkategori,f.Vetenskapligt_namn0, f.URL_till_taxoninformation AS URL_till_taxoninformation, d.Familj AS Familj, d.Slakte AS Slakte, 'nosyn' AS syn, d.TaxonId AS TaxonId2, t.taxid, 1 AS accept, concat(d.Rike,' -› ', d.Fylum,' -› ',IFNULL(d.Klass, '~')) AS grupp FROM namndata.ftextsrc f JOIN namndata.taxonid0 t using (Taxonkategori) JOIN namndata.taxon0_T d USING (TaxonId) WHERE MATCH (f.Vetenskapligt_namn0) AGAINST ('"carnivora"' IN BOOLEAN MODE) AND d.TaxonStatus='Accepterat' AND d.Fylum = 'Chordata' order by grupp, d.radnr, f.Vetenskapligt_namn0 LIMIT 0,2500;
Asked by christerk (9 rep)
Dec 18, 2024, 12:34 PM
Last activity: Dec 26, 2024, 05:42 AM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Database Administrators

More questions tagged "mysql"
More questions tagged "mariadb"
More questions tagged "sql-injection"
Footer Ad - 728x90