how to secure mysql_query()

[orange08]

currently i code all my sql query like this:

 

mysql_query("SELECT * FROM mytable") or die('Query failed: ' . mysql_error());

 

i know this is a bad practice, can i know what's the proper and correct way for me to do it, please?

 

thanks in advance!

[Daniel0]

See:

http://www.phpfreaks.com/tutorial/php-security

http://www.phpfreaks.com/blog/or-die-must-die

[orange08]

See:

 

http://www.phpfreaks.com/blog/or-die-must-die

 

thanks for the link, but i'm still not too understand...

 

$result = mysql_query('SELECT foo FROM bar', $db) or trigger_error('Query failed: ' . mysql_error($db), E_USER_ERROR);

 

Syntactically this is very much like the previous code snippet, but much better. Because errors of these types behave like errors PHP would normally make you can also use all the facilities PHP has for error handling. You can implement a custom error handler so you can display nice messages to your user, and you can log the errors to a file. Finally you can disable output of errors in a production environment.

 

i would like to know for the above code, if error did occur...will the error message being output for the user?

 

and the above description saying that we can use all the facilities PHP has for error handling. we can implement a custom error handler so we can display nice messages to user, and we can log the errors to a file. Finally we can disable output of errors in a production environment.

 

but, how? i'm still not able to relate them...can give some example, please?

[HoTDaWg]

sorry im having trouble understanding what you are asking :S please clarify.

 

errors can be controlled via the set_error_handler function

[orange08]

sorry im having trouble understanding what you are asking :S please clarify.

 

errors can be controlled via the set_error_handler function

 

what i'm really confuse is what's the different between

or die(mysql_error());

and

or trigger_error('Query failed: '. mysql_error())

 

what i read before is

or die(mysql_error()) will remove the opportunity to control whether errors should be displayed or not.

i'm not too understand with this, is that meant if my error reporting set to off, then with or die(), mysql_error() still will be output for user that give a chance for hacker to know your site's problem?

 

and is that with

 

or trigger_error('Query failed: '. mysql_error())

then if my error reporting set to off, then the error won't be output for user when the error occur?

[bundyxc]

I think that if error reporting is off, and you use trigger_error, then it doesn't show the error.

If error reporting is on, and you use trigger_error(), then it shows the error.

If you use die(), then it shows the error, even if error reporting is off.

 

Do you understand?

[orange08]

I think that if error reporting is off, and you use trigger_error, then it doesn't show the error.

If error reporting is on, and you use trigger_error(), then it shows the error.

If you use die(), then it shows the error, even if error reporting is off.

 

Do you understand?

 

yup, this is what i understand, i tried to ask this question before, but seem nobody giving me an answer...

 

and if like that, if i'm set error reporting to off in production environment, then when some error occur, my user get nothing to inform them, right?

 

how should i code, so that mysql_error() which is can't be revealed to hacker won't be output but custom error message will be output for the user in case the sql query is failed?

[Daniel0]

error_reporting should at all times be set to at least E_ALL. If you don't want errors to show up on the screen you should set display_errors=Off

 

There is a reason why I also linked to this tutorial. It covers error reporting and what you should do with it.