acctman Posted April 30, 2009 Share Posted April 30, 2009 do i have to worry about sql injection when a user logs in? and is there a way to weekly scan or monitor a database to make sure it does not have any infected coding inside? Link to comment https://forums.phpfreaks.com/topic/156322-solved-prevent-sql-injection-during-login/ Share on other sites More sharing options...
gffg4574fghsDSGDGKJYM Posted April 30, 2009 Share Posted April 30, 2009 SQL Injection attack will be executed right away, they won't be store in the database. But SQL injection can be used to insert data into your database or delete it or do just anything you can do with it. You will have to test any form that the data is used into a sql query to be sure it's the data that you expect before running a mysql_query() and filter all string for the database with mysql_real_escape_string() to prevent this. http://www.oregonstate.edu/manual/en/function.mysql-real-escape-string.php Read this first : http://www.phpfreaks.com/tutorial/php-security Great tutorial to get the basic of security (including but not only SQL injection). Link to comment https://forums.phpfreaks.com/topic/156322-solved-prevent-sql-injection-during-login/#findComment-823110 Share on other sites More sharing options...
acctman Posted April 30, 2009 Author Share Posted April 30, 2009 SQL Injection attack will be executed right away, they won't be store in the database. But SQL injection can be used to insert data into your database or delete it or do just anything you can do with it. You will have to test any form that the data is used into a sql query to be sure it's the data that you expect before running a mysql_query() and filter all string for the database with mysql_real_escape_string() to prevent this. http://www.oregonstate.edu/manual/en/function.mysql-real-escape-string.php Read this first : http://www.phpfreaks.com/tutorial/php-security Great tutorial to get the basic of security (including but not only SQL injection). so if i wanted to escape this line i'd do something like this right? $sql = "SELECT m_id, m_user, m_pass FROM $membtable WHERE m_user='{$en['user']}' AND m_pass='".$en['pass']."' AND m_confirmed>0 AND m_del!=1"; $result = mysql_real_escape_string(sql_query($sql)); $line = sql_fetch_assoc($result); Link to comment https://forums.phpfreaks.com/topic/156322-solved-prevent-sql-injection-during-login/#findComment-823114 Share on other sites More sharing options...
gffg4574fghsDSGDGKJYM Posted April 30, 2009 Share Posted April 30, 2009 More like that : <?php $membtable = mysql_real_escape_string($membtable); $username = mysql_real_escape_string($en['user']); $password = mysql_real_escape_string($en['pass']); $sql = "SELECT m_id, m_user, m_pass FROM ".$membtable." WHERE m_user='".$username ."' AND m_pass='".$password."' AND m_confirmed>0 AND m_del!=1;"; $results = mysql_query($sql); ?> Only escape the data that come from outside not the SQL you wrote or you will escape characters that don't need too. You need to be connected to a mysql database for this to work. If magic_quotes are on you will end up double escaping your data, look at the php manual page for mysql_real_escape_string() they give good example. Link to comment https://forums.phpfreaks.com/topic/156322-solved-prevent-sql-injection-during-login/#findComment-823123 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.