sudhakararaog Posted May 29, 2008 Share Posted May 29, 2008 i have implemented a way to avoid sql injection from the php website from this url http://in.php.net/mysql_real_escape_string from the "Example #3 A "Best Practice" query" section of this page following are the steps i have followed after the form values are submitted to a php file. step 1. if(get_magic_quotes_gpc()) { $username = stripslashes($_POST["username"]); ......... } else { $username = $_POST["username"]; ......... } step 2. $conn = mysql_connect($hostname, $user, $password); step 3. $insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s', ...)", mysql_real_escape_string($username, $conn), ...); step 4. if(!$conn) { header("Location: http://website/dberror.html"); exit; } else { mysql_select_db($database, $conn); $insertqueryresult = mysql_query($insertquery); if(!$insertqueryresult) { header("Location: http://website/error.html"); exit; } } with the above method i am able to insert values into the table even with if i enter the ' special character which can cause problems. i have also used a simple sql insert query like $insertquery = "INSERT INTO table(username, ...) VALUES ('$username', ...)"; when i used this simple insert query and if i entered ' in the form and submitted the form the php file is unable to process the information entered because of the ' character and as per the code error.html file is being displayed where as if i use $insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s', ...)", mysql_real_escape_string($username, $conn), ...); even if i enter any number of ' characters in more than 1 form field data is being inserted into the table a) so i am thinking that the steps i have taken from the php site is correct and the right way to avoid sql injection though there are several ways to avoid sql injection. b) for example if i enter data in the form as = abc'''def for name, the data in the table for the name field is being written as abc'''def based on how i have written the steps to avoid sql injection is this the right way for the data to be stored with ' characters along with the data example as i mentioned = abc'''def please answer the questions a) and b) if there is something else i need to do please suggest what needs to be done exactly and at which step. any help will be greatly appreciated. thanks. Link to comment https://forums.phpfreaks.com/topic/107859-sql-injection/ Share on other sites More sharing options...
FlyingIsFun1217 Posted May 29, 2008 Share Posted May 29, 2008 Please use code tags. There's a reason why they're there. FlyingIsFun1217 Link to comment https://forums.phpfreaks.com/topic/107859-sql-injection/#findComment-552917 Share on other sites More sharing options...
discomatt Posted May 29, 2008 Share Posted May 29, 2008 It's not that hard to navigate without the code tags.. quit being so nit-picky It looks good. I believe your script is safe from most methods of injection. Data should be stored properly in your database. Link to comment https://forums.phpfreaks.com/topic/107859-sql-injection/#findComment-552942 Share on other sites More sharing options...
FlyingIsFun1217 Posted May 29, 2008 Share Posted May 29, 2008 It's not that hard to navigate without the code tags For who? It's known to be general practice if you want most people to look at it. FlyingIsFun1217 Link to comment https://forums.phpfreaks.com/topic/107859-sql-injection/#findComment-552962 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.