Jump to content

[SOLVED] prevent sql injection during login?

acctman

By acctman
in MySQL Help

 Share

Recommended Posts

gffg4574fghsDSGDGKJYM Newbie

gffg4574fghsDSGDGKJYM

Posted
Posted

SQL Injection attack will be executed right away, they won't be store in the database.

 

But SQL injection can be used to insert data into your database or delete it or do just anything you can do with it.

 

You will have to test any form that the data is used into a sql query to be sure it's the data that you expect before running a mysql_query() and filter all string for the database with mysql_real_escape_string() to prevent this.

http://www.oregonstate.edu/manual/en/function.mysql-real-escape-string.php

 

Read this first :

http://www.phpfreaks.com/tutorial/php-security

Great tutorial to get the basic of security (including but not only SQL injection).

Link to comment
Share on other sites
acctman Advanced Member

acctman

Posted
  • Author
Posted

SQL Injection attack will be executed right away, they won't be store in the database.

 

But SQL injection can be used to insert data into your database or delete it or do just anything you can do with it.

 

You will have to test any form that the data is used into a sql query to be sure it's the data that you expect before running a mysql_query() and filter all string for the database with mysql_real_escape_string() to prevent this.

http://www.oregonstate.edu/manual/en/function.mysql-real-escape-string.php

 

Read this first :

http://www.phpfreaks.com/tutorial/php-security

Great tutorial to get the basic of security (including but not only SQL injection).

 

so if i wanted to escape this line i'd do something like this right?

 

$sql = "SELECT m_id, m_user, m_pass FROM $membtable WHERE m_user='{$en['user']}' AND m_pass='".$en['pass']."' AND m_confirmed>0 AND m_del!=1";
$result = mysql_real_escape_string(sql_query($sql));
$line = sql_fetch_assoc($result);

Link to comment
Share on other sites
gffg4574fghsDSGDGKJYM Newbie

gffg4574fghsDSGDGKJYM

Posted
Posted

More like that :

 

<?php
$membtable = mysql_real_escape_string($membtable);
$username = mysql_real_escape_string($en['user']);
$password = mysql_real_escape_string($en['pass']);

$sql = "SELECT m_id, m_user, m_pass FROM ".$membtable." WHERE m_user='".$username ."' AND
m_pass='".$password."' AND m_confirmed>0 AND m_del!=1;";
$results = mysql_query($sql);
?>

 

Only escape the data that come from outside not the SQL you wrote or you will escape characters that don't need too.

 

You need to be connected to a mysql database for this to work.

If magic_quotes are on you will end up double escaping your data, look at the php manual page for mysql_real_escape_string() they give good example.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.