Preventing SQL injection

SQL injection is a common but dangerous type of web application vulnerability. An attacker may executes SQL code with the purpose to disrupt website operation, obtain passwords, private information, etc. In SCHLIX CMS, in the event that there is a vulnerability from an external application, at worst, the password stored in the user database is encrypted with PBKDF2, not SHA1 or SHA2. This means that it will be a lot slower to brute force the user's password in case there is a breach. You should always code security to prevent vulnerabilities from multiple attack vectors.

The simplest attack vector is usually unvalidated URL parameter or form field.

To prevent SQL injection in SCHLIX, use the following measures:

  • use fget_int('get_input_name') and fpost_int('post_input_name') to validate integer GET/POST variable
  • use sanitize_string($variable_name) for dynamic SQL
  • use parameterized query (SCHLIX CMS uses MySQLi but made its query syntax in Database class with PDO compatibility).