Jump to content

Prevent SQL Injection attacks!

robert_gsfame

By robert_gsfame
in PHP Coding Help

 Share

Recommended Posts

robert_gsfame Advanced Member

robert_gsfame

Posted
Posted

I never use mysql_real_escape_string before as i'm still new to php so i always use mysql_query instead of mysql_real_escape_string

 

Can anyone help me on how to use it?

Is it the same as when using mysql_query

 

$username=$_SESSION['username'];

$password=$_SESSION['password'];

query = sprintf("SELECT * FROM table1 WHERE username='%s' AND password='%s'",

            mysql_real_escape_string($username),

            mysql_real_escape_string($password));

$sql=mysql_query($query);

 

does the code above written correctly? then where should i put mysql_real_escape_string??in all query and when using $_POST and $_GET??

 

Last question, is mysql_real_escape_string must be connected to get_magic_quotes_gpc(), stripslashes to make my webpage safer??

 

thanks in advance

 

 

Link to comment
Share on other sites
mikesta707 Member

mikesta707

Posted
Posted

yes, that code is correct actually. all mysql_escape_string() does is escape characters that are special in mysql. for example, the ' character is commonly used in sql injections that don't escape it. add_slashes() does a similar thing, but its best to used the functions that were made specially for the database (for example mysql_escape_string() for mysql or pg_escape_string() for postgresql)

 

magic_quotes_gpc() is a setting in php.ini that, when set to on, automatically escapes all POST and GET data (using addslashes()) this can cause problems when you use mysql_escape_string() or other escaping functions because you can end up double escaping things.

 

Strip slashes would undo whatever magic_quotes_gpc() does, and you can then apply the arguably better mysql_escape_string() function (if you have a mysql database) to your string. it would be something like so

//magic quotes gpc ON
$data = $_POST['data'];//already escapes
$data = stripslashes($data);//undid escape;
$data = mysql_real_escape_string($data);//better escape
//do whatever

 

However, when you have magic quotes gpc set to off, you can simply do what you did in your example

Link to comment
Share on other sites
robert_gsfame Advanced Member

robert_gsfame

Posted
  • Author
Posted

$username=$_POST['username'];

$password=$_POST['password'];

query = sprintf("SELECT * FROM table1 WHERE username='%s' AND password='%s'",

            mysql_real_escape_string($username),

            mysql_real_escape_string($password));

$sql=mysql_query($query);

 

So using mysql_real_escape_string() is enough ??Above code is quite safe enough?? or maybe you could alter something so that become safer??

Link to comment
Share on other sites
Stephen Newbie

Stephen

Posted
Posted

You could replace:

$username=$_POST['username'];
$password=$_POST['password'];

 

With:

$username=get_magic_quotes_gpc() ? stripslashes($_POST['username']) : $_POST['username'];
$password=get_magic_quotes_gpc() ? stripslashes($_POST['password']) : $_POST['password'];

To make sure slashes have not already been added. Also, you forgot to put $ before your variable name for the "query" variable.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.