Jump to content


Photo

sql injection attack


  • Please log in to reply
6 replies to this topic

#1 brown2005

brown2005
  • Members
  • PipPipPip
  • Advanced Member
  • 943 posts

Posted 11 August 2006 - 09:39 AM

Hi,

I have seen many comments about "sql injection attack" but what on earth is it...? and how do you prevent it...?

Regards

RIchard

#2 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 11 August 2006 - 09:43 AM

You can start here:
http://www.phpfreaks...-injection.html

Orio.
Think you're smarty?

(Gone until 20 to November)

#3 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 11 August 2006 - 09:55 AM

1. always valadate all information before it enters the database.
2. make sure that when you upload files that the files are in a directory not in root.
3. use the buitin php ststements to help the databse not to get bomb shelled

example

use addslashes and as much valadation as posable.


Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#4 brown2005

brown2005
  • Members
  • PipPipPip
  • Advanced Member
  • 943 posts

Posted 11 August 2006 - 10:00 AM

cool... wat does

3. use the buitin php ststements to help the databse not to get bomb shelled

that mean....

#5 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 11 August 2006 - 10:06 AM

it means read as much valadation php codes you can before data goes in the database.

read the above link ok lol........................
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#6 effigy

effigy
  • Staff Alumni
  • Advanced Member
  • 3,600 posts
  • LocationIL

Posted 11 August 2006 - 01:42 PM

Use MySQL's real_escape_string instead of addslashes.
Regexp | Unicode Article | Letter Database
/\A(e)?((1)?ff(?:(?:ig)?y)?|f(?:ig)?)\z/

#7 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 11 August 2006 - 01:54 PM

I agree with effigy.

here is a link that will explain the sql insertion in more detail http://www.phpfever....n-Overview.html

and here is an example of mysql_real_escape_string in use.

$whatever = mysql_real_escape_string(trim($_POST['whatever']));

Good luck,
Tom

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users