I'm reviewing a PHP library that interacts with an Informix database.
Since I'm following the library structure I cannot use pdo. Is it there a guideline on how to properly protect an Informix query from SQL injection?
-
should probably ask this at stack overflow as it seems to be a programming question, but here's some docs: ibm.com/docs/en/informix-servers/… You may also want to mention the library and platform.browsermator– browsermator2025-05-12 18:49:04 +00:00Commented May 12 at 18:49
-
2The proper way is to use parameter binding - see bobby-tables.com/php for more. While you state that you cannot use PDO you don't state what you can actually use except for "the library" - which basically says nothing. There is no guideline on how to properly use a generic "the library", but if it supports parameter binding then use it.Steffen Ullrich– Steffen Ullrich2025-05-12 18:52:45 +00:00Commented May 12 at 18:52
-
In my humble opinion this is a security question since I'm asking how to improve the security posture of a PHP library.Marco Nappi– Marco Nappi2025-05-13 06:43:20 +00:00Commented May 13 at 6:43
-
2@MarcoNappi: That's a security goal, but from what I understand, the actual problem is that you have trouble identifying the database API or finding the corresponding documentation. That's not a security issue.Ja1024– Ja10242025-05-13 06:59:30 +00:00Commented May 13 at 6:59
Add a comment
|
1 Answer
In terms of protecting against SQL injections, Informix isn't fundamentally different from other fully-featured SQL database systems like PostgreSQL, MySQL, MSSQL or whatnot. So you can pick any generic guide (like the SQL Injection Prevention Cheat Sheet from OWASP), learn how the prevention mechanism work on a conceptual level and then look up how exactly they're are implemented in Informix and the specific PHP/Informix API you're using. As you do a code review, I assume you're comfortable reading manuals.
Dealing with dynamic input in SQL queries is context-dependent.
- If you have to insert a value, you should generally use a parameterized query aka prepared statement. As browsermator pointed out in the comments, Informix itself supports this feature. Find out which PHP/Informix API your library uses and which exact functions or methods you have to call for a prepared statement. It's going to be something along the lines of
prepare,bindandexecute(some or all of those steps might be combined into a single call). - If you want to insert an identifier like a column name, then prepared statements don't work. Instead, use a whitelist of permitted options. If this is impractical, you have to carefully validate the input and ensure that it's a) a single identifier and b) acceptable in the current context (e.g., check whether it starts with an expected prefix).
- There can be edge cases where prepared statements may or may not be applicable, e.g., the values in the
LIMITclause. If you cannot use prepared statements for this, fall back to validation.
-
Thanks for your answer. I'm aware of pared statement. I was searching some documentation to use as a referenceMarco Nappi– Marco Nappi2025-05-13 06:45:12 +00:00Commented May 13 at 6:45
-
1@MarcoNappi: Documentation on what? If you want to know how to use prepared statements in some specific PHP/Informix API, then you need what find out which API the library uses and then search the official API documentation. So far, all we know is that it's not PDO. So what is it?Ja1024– Ja10242025-05-13 06:55:59 +00:00Commented May 13 at 6:55