SQL Injection problem..

[shahzad]

I am working on one small CMS for a website. where admin can enter any content.

 

in my system localhost it was working fine. but when i have uploaded to client server query is not processing.

then i got to know some where in content he was typing ( Dubai's ) may be this is the problem.

 

but when i try same content locally it work. is it some thing to do with PHO setting??

 

or these is any soloution for sql injection?

 

[PFMaBiSmAd]

ALL string data that could contain special SQL characters that is put into a query must be escaped so that any special SQL characters in it (like single and double quotes) don't break the syntax of the query. Assuming you are using mysql, see this link mysql_real_escape_string for the function you need to use to escape string data.

 

Unfortunately, php.net has a history of trying to get php to - "help a few beginners blissfully and unknowingly write better (more secure) code." (quote taken directly from the php.net documentation.) This however means that the resulting code is not general purpose and prevents it from working on all servers.

 

The problem is due to magic_quotes_gpc, which automatically escapes external data. Unfortunately (again), this setting can only be turned off in the master php.ini in current versions of php likely to be in use on production servers and most people on the planet won't have access to the master php.ini to turn this offending setting off. So, to make your code work correctly on servers where this setting it both ON and OFF, you must actually detect if the setting is ON using the get_magic_quotes_gpc function then use stripslashes on the data first, then unconditionally use mysql_real_escape_string on the data.

 

The following code example shows the logic needed to make your code work on any current production server, regardless of the magic_quotes_gpc setting -

 

<?php
if(get_magic_quotes_gpc()){
$your_data = stripslashes($your_data);
}
$your_data = mysql_real_escape_string($your_data);
?>

 

Depending on your actual number of variables, this logic could be put into a function to avoid repeating code.

[PFMaBiSmAd]

Slight correction to the above. magic_quotes_gpc can be turned off in a .htaccess file (when php is running as an Apache module and the server has been configured to allow php settings to be changed in a .htaccess file), in a local php.ini (when php is running as a CGI application and the server has been configured to allow php settings to be changed using a local php.ini), or in httpd.conf (Apache only and when you have access to the httpd.conf file.) In all other cases, it can only be tuned off in the master php.ini.

[shahzad]

Thankyou buddy