homepage Welcome to WebmasterWorld Guest from 54.237.125.89
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
SQL injections how to write against them
sql injections
pinto172




msg:3402441
 9:13 pm on Jul 23, 2007 (gmt 0)

I want to know how to prevent or try to resist sql injections in my code. I filter our everything except text in most of my forms but most use htmlspecialchars. Should I not use that?

Should I limit the amount of data input?

I mean what is everyone else doing that works?

 

eelixduppy




msg:3402454
 9:21 pm on Jul 23, 2007 (gmt 0)

The number one thing you really have to do is to escape your query variables. To do this, you can use mysql_real_escape_string [php.net] or mysql_escape_string [php.net].

jezzer300




msg:3402457
 9:25 pm on Jul 23, 2007 (gmt 0)

Any input field should have the addslashes() function put around the variable when building your sql command.

for example:

$reference = $_REQUEST['reference']

... use $reference in you code as usual...

$sql= "SELECT count(*) FROM track_page WHERE session_index='$session_index' AND reference='".addslashes($reference)."'";
$result = @mysql_query($sql);

Likewise, when you retrieve that data to display back to the user you may want to add htmlspecialchars($reference) around the code.

You can test your input fields by entering '

* I really would not reccomend using magic_quotes.

eelixduppy




msg:3402465
 9:32 pm on Jul 23, 2007 (gmt 0)

Just a quick note: addslashes shouldn't be used unless you cannot use the functions I linked to above. Not only are additional characters escaped with those functions but in the case of mysql_real_escape_string, the charset of the database is used, as well.

WesleyC




msg:3402487
 9:54 pm on Jul 23, 2007 (gmt 0)

SQL injection depends a lot on what version of SQL you're using--mysql_real_escape_string is definitely the best choice if you're using MySql, but for Microsoft SQL Server you can use...

str_replace( "'", "''", $evilInput );

Microsoft SQL interprets two single quotes ('') as a single escaped quote.

[edited by: WesleyC at 9:55 pm (utc) on July 23, 2007]

pinto172




msg:3402714
 4:06 am on Jul 24, 2007 (gmt 0)

I use only php and mysql on my applications.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved