onedumbcoder Posted July 17, 2009 Share Posted July 17, 2009 what steps do I need to take to prevent in sql attack when I am using input from the user in a query? lets say we have the variable $name = $_post['name']; $zipcode = $_post['zipcode']; $message = $_post['message']; // textarea what should i do to these variables before I use them in either select or insert to prevent a sql attack. Quote Link to comment Share on other sites More sharing options...
teng84 Posted July 17, 2009 Share Posted July 17, 2009 use mysql_escape_string $name = mysql_escape_string($_post['name']); $zipcode = mysql_escape_string($_post['zipcode']); $message = mysql_escape_string($_post['message']); // textarea Quote Link to comment Share on other sites More sharing options...
onedumbcoder Posted July 17, 2009 Author Share Posted July 17, 2009 why or why shouldn't i use mysql_real_escape_string instead? Quote Link to comment Share on other sites More sharing options...
Amtran Posted July 17, 2009 Share Posted July 17, 2009 mysql_real_escape_string escapes all the characters that could be used in a SQL injection. For example: <?php mysql_query("SELECT * FROM db WHERE name = $somevar"); ?> could be hacked by inputting: a';DROP TABLE db which appears as: <?php mysql_query("SELECT * FROM db WHERE name = 'a';DROP TABLE db"); ?> So mysql_real_escape_string prevents that by escaping the apostrophe, quotation mark, and semicolons, thus preventing an injection. You want to sanitize every input to a database, but you need to be SURE to escape long inputs, like messages, news, biographies, etc. If you don't do that, users won't be able to use any of the characters mentioned above, and you'll be extra vulnerable to attack. Quote Link to comment Share on other sites More sharing options...
onedumbcoder Posted July 17, 2009 Author Share Posted July 17, 2009 so why would someone use mysql_escape_string then if there is Insert Quote mysql_real_escape_string? Quote Link to comment Share on other sites More sharing options...
onedumbcoder Posted July 19, 2009 Author Share Posted July 19, 2009 Someone please tell me why someone would use mysql_escape_string if there is mysql_real_escape_string Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted July 19, 2009 Share Posted July 19, 2009 Try reading the manual page: This function is identical to mysql_real_escape_string() except that mysql_real_escape_string() takes a connection handler and escapes the string according to the current character set. mysql_escape_string() does not take a connection argument and does not respect the current charset setting. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.