stevehossy Posted February 28, 2009 Share Posted February 28, 2009 I own a game site. THere is always one user who exploits a page and does an sql injection. This game was bought from a site, the codes are very vulnerable. So im starting to add some protection to the scripts. FOr text boxes, i did html special chars. So its not possible to send a query. Is this good? Also, ive added this: $url =$_SERVER['REQUEST_URI']; $code_entities_match = array('%','--','!','~','`','(',')','select','from','where','-','$','#','*'); $code_entities_replace = array('','','','','','','','','','','','','',''); $url1 = str_replace($code_entities_match, $code_entities_replace, $url); if($url != $url1) { die("<b>Error</b>"); } I know these two things wont protect me from all. BUt is it a good start? Also any other sql protection tips? THanks! Link to comment https://forums.phpfreaks.com/topic/147266-sql-injections/ Share on other sites More sharing options...
sKunKbad Posted February 28, 2009 Share Posted February 28, 2009 if your using php5, there the PECL filter_input function Link to comment https://forums.phpfreaks.com/topic/147266-sql-injections/#findComment-773076 Share on other sites More sharing options...
sKunKbad Posted February 28, 2009 Share Posted February 28, 2009 oh yeah, and the mysql_real_escape_string function is pretty standard sql injection prevention Link to comment https://forums.phpfreaks.com/topic/147266-sql-injections/#findComment-773077 Share on other sites More sharing options...
Monkuar Posted February 28, 2009 Share Posted February 28, 2009 oh yeah, and the mysql_real_escape_string function is pretty standard sql injection prevention Give me and example on how to use that> Link to comment https://forums.phpfreaks.com/topic/147266-sql-injections/#findComment-773081 Share on other sites More sharing options...
stevehossy Posted February 28, 2009 Author Share Posted February 28, 2009 yah i need an example too. Link to comment https://forums.phpfreaks.com/topic/147266-sql-injections/#findComment-773083 Share on other sites More sharing options...
sKunKbad Posted February 28, 2009 Share Posted February 28, 2009 //This is the mysqli version. See the manual for plain mysql. function clean_for_query($data){ global $db; $data = mysqli_real_escape_string($db , trim($data)); return $data; } $clean = clean_for_query($_POST['dirty']); Link to comment https://forums.phpfreaks.com/topic/147266-sql-injections/#findComment-773088 Share on other sites More sharing options...
Monkuar Posted February 28, 2009 Share Posted February 28, 2009 ty sir Link to comment https://forums.phpfreaks.com/topic/147266-sql-injections/#findComment-773092 Share on other sites More sharing options...
5kyy8lu3 Posted February 28, 2009 Share Posted February 28, 2009 first thing I would do is ban that user's account and IP address lol Link to comment https://forums.phpfreaks.com/topic/147266-sql-injections/#findComment-773137 Share on other sites More sharing options...
RussellReal Posted February 28, 2009 Share Posted February 28, 2009 for str replace you don't need to match the number of TO-REPLACE strings with WITH-REPLACE for example echo str_replace(array("abc","def"),"","abcdefghi"); // ghi Link to comment https://forums.phpfreaks.com/topic/147266-sql-injections/#findComment-773142 Share on other sites More sharing options...
Pedro999 Posted August 4, 2013 Share Posted August 4, 2013 first thing I would do is ban that user's account and IP address lol Absolutely, and seriously. Link to comment https://forums.phpfreaks.com/topic/147266-sql-injections/#findComment-1443412 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.