adam291086 Posted August 10, 2008 Share Posted August 10, 2008 Hello, What is the best way to prevent a mysql injection. Also what else should i be trying to prevent from happening within my login script? Link to comment https://forums.phpfreaks.com/topic/119035-preventing-mysql-injections/ Share on other sites More sharing options...
cooldude832 Posted August 10, 2008 Share Posted August 10, 2008 show what u got already Link to comment https://forums.phpfreaks.com/topic/119035-preventing-mysql-injections/#findComment-612951 Share on other sites More sharing options...
adam291086 Posted August 10, 2008 Author Share Posted August 10, 2008 i dont have any protection. Just wanted peoples thoughts. Was looking into mysql_real_escape_string but was woundering if thats all i need Link to comment https://forums.phpfreaks.com/topic/119035-preventing-mysql-injections/#findComment-612957 Share on other sites More sharing options...
cooldude832 Posted August 10, 2008 Share Posted August 10, 2008 Read what you write and at each logical point/query ask the question what could a user put in here that would return a false TRUE. If you can't find any answers then you are good. If you aren't sure post those portions of code and we'll aid you in answering the question Link to comment https://forums.phpfreaks.com/topic/119035-preventing-mysql-injections/#findComment-612970 Share on other sites More sharing options...
adam291086 Posted August 10, 2008 Author Share Posted August 10, 2008 ok the only two bits i am trying to protect is the username and password. Either feild can contain any character so i guess i just need to protect from mysql injections. will mysql_real_escape_string that do? Link to comment https://forums.phpfreaks.com/topic/119035-preventing-mysql-injections/#findComment-612973 Share on other sites More sharing options...
genericnumber1 Posted August 10, 2008 Share Posted August 10, 2008 A) make sure magic_quotes_gpc() is off, if it's on, stripslashes() B) make sure the variables in your sql statements are always in quotes C) use mysqli_real_escape_string() or mysql_real_escape_string() on every variable in your sql statement That's really all you need to worry about on the simplest level without getting into prepared statements, etc. Link to comment https://forums.phpfreaks.com/topic/119035-preventing-mysql-injections/#findComment-612974 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.