Mysql Database Attacks other than Sql Injection

I am using mysqli prepared statements and bound variables.

Then to prevent sql injection, am I need to do anything else(eg: data type validation, filtering, sanitize, string escape etc ) with user input ?

Is there any other way of attacking MySql database other than Sql Injection ?

---

To prevent SQL injection you have to format your query properly .
Every literal that have to be added to the query dynamically, have to be properly formatted.
Not only data literals like strings and numbers but all of them, including operators and identifiers. The only proper way to make values formatted is prepared statements.

For the identifiers and operators you will need also filtering, to let only allowed ones into query.

Whatever user input should not be involved at all. It's destination, not source that matters.

Is there any other way of attacking MySql database other than Sql Injection ?

sure thing. But the topic is too broad to make you secured by means of a forum post. Better hire a DBA.

链接地址: http://www.djcxy.com/p/93964.html

上一篇: 自动增量的SQL注入

下一篇: 除Sql注入之外的Mysql数据库攻击