Welcome to WebmasterWorld Guest from 184.108.40.206 , register , free tools , login , search , subscribe , help , library , announcements , recent posts , open posts Pubcon Website
SQL injections how to write against them sql injections pinto172 msg:3402441 9:13 pm on Jul 23, 2007 (gmt 0) I want to know how to prevent or try to resist sql injections in my code. I filter our everything except text in most of my forms but most use htmlspecialchars. Should I not use that?
Should I limit the amount of data input?
I mean what is everyone else doing that works?
eelixduppy msg:3402454 9:21 pm on Jul 23, 2007 (gmt 0)
The number one thing you really have to do is to escape your query variables. To do this, you can use mysql_real_escape_string [ php.net] or mysql_escape_string [ php.net]. jezzer300 msg:3402457 9:25 pm on Jul 23, 2007 (gmt 0)
Any input field should have the addslashes() function put around the variable when building your sql command.
$reference = $_REQUEST['reference']
... use $reference in you code as usual...
$sql= "SELECT count(*) FROM track_page WHERE session_index='$session_index' AND reference='".addslashes($reference)."'";
$result = @mysql_query($sql);
Likewise, when you retrieve that data to display back to the user you may want to add htmlspecialchars($reference) around the code.
You can test your input fields by entering '
* I really would not reccomend using magic_quotes.
eelixduppy msg:3402465 9:32 pm on Jul 23, 2007 (gmt 0)
Just a quick note: addslashes shouldn't be used unless you cannot use the functions I linked to above. Not only are additional characters escaped with those functions but in the case of mysql_real_escape_string, the charset of the database is used, as well. WesleyC msg:3402487 9:54 pm on Jul 23, 2007 (gmt 0)
SQL injection depends a lot on what version of SQL you're using--mysql_real_escape_string is definitely the best choice if you're using MySql, but for Microsoft SQL Server you can use...
str_replace( "'", "''", $evilInput );
Microsoft SQL interprets two single quotes ('') as a single escaped quote.
edited by: WesleyC at 9:55 pm (utc) on July 23, 2007] pinto172 msg:3402714 4:06 am on Jul 24, 2007 (gmt 0)
I use only php and mysql on my applications.