In this code
UPDATE table SET field = MD5('{$_POST['variable']}') WHERE id = 1;
Since the updated value is md5'ed, should I still take steps to prevent from injection? Like addslashes() or something like that?
In this code
UPDATE table SET field = MD5('{$_POST['variable']}') WHERE id = 1;
Since the updated value is md5'ed, should I still take steps to prevent from injection? Like addslashes() or something like that?
Since the updated value is md5'ed, should I still take steps to prevent from injection?
In fact the variable in your code has not been MD5'ed when it goes into the query string, so the same injection issues still apply just as they would with any other variable.
If you had done $hashedVar = md5($var)
in PHP and then added $hashedVar
into the query string, then your question may have been a bit more legitimate, but the way you're doing it with the MD5()
as part of the query string itself, the answer is yes, it most certainly does need to be escaped to avoid injection.
However some additional notes:
addslashes()
is not the correct method to use for escaping PHP strings into SQL. You should use the real escape string function applicable to the DB API that you're using.
If you're using mysqli
or PDO
as your DB API, your best option for this is Prepapred Statements. If you're using the older mysql_xxx()
functions then you don't have this option, but you should update to one of the other APIs, as the mysql
extension is deprecarted.
MD5
is not a secure hashing algorithm for passwords. If you're using plain unsalted MD5 for passwords then you are insecure already, before you even start thinking about injection attacks. You should use a better hashing algorithm such as bcrypt.
Recent PHP versions include a set of password_xx()
functions which are designed specifically for providing the best available quality hashing with minimal effort. (these functions are also available for older PHP versions, via a third-party library).