This question already has an answer here:
- How can I prevent SQL injection in PHP? 28 answers
I have a small headache with an old project of mine. I wanted to put back online a legacy version of the website I once managed. The problem is, it was coded with PHP back in 1998+, at time when I had little to no knowledge about security issues (15yo taking first lessons in scripting stuff). When I examine the code now, I can see very little harm that can be possible done since most of the code does basic things without much tampering with vulnerable assets. With one exception, MySQL queries. I have literally thousands of selects, inserts and updates which are wide open for any MySQL injection attempt. The project was big, there are lots of files and lots of code. Even if I search and examine every occurence of mysql_query, I might still miss something. Lots of mess as well. Things like this are all over the place:
function Mess($ID) {
$result = mysql_query("select * from table where `id` LIKE '$ID'");
}
I was thinking if would there be possibly some easy way to deal with that without spending hours and hours on examining every single MySQL query. Not to mention creating all the PDO structure and trying to intagrate it with this monstrosity. I'm just doing that in my spare time to honor the work lots of people devoted to creating content for this project years ago. So I was thinking about some sort of "general" solution. I was considering php prepend file but what could I possibly insert there to not cripple the incoming variables? I could just kill all GET,POST,COOKIE vars but this would prevent the website from providing content properly. I could disable all but SELECT access rights (I don't need more since this project is not ment to be updated) for the database user and then suppress error messages but that would still leave it open for injections, just without possibility to modify the database. Is someone aware of something I am not, something that would "overrule" the issue? I dont mind if someone will be able to tamper with the variable to view unitended content of that particular DB. There is nothing in that database which is private only (I deleted things like passwords, e-mails etc.). I do mind however the security and intergrity of other data stored on that host.
</div>
