Clear up about SQL Injection

[JonnySnip3r]

Hey guys, just wondering if someone can clear something up for me about SQL injection. When do i actually need to protect against SQL injection? Only when users are entering infor directly into a database such as Login, Posts, Search etc of all the time for example when the script is contacting the database behind the scenes?

 

like this

mysql_query("UPDATE users SET acount_active=1 where name='$name'");

or should i run $name through $name = mysql_real_escape_string($name); ? thanks!!

[Rustywolf]

Whenever the user has input, if not only when they control it.

Id recommend using switch statements, MD5'n the passwords, htmlspecialchars() etc.

 

So if it had something like

if($_SESSION['name'] == 1)
{
  $set = 1;
}
mysql_query("SELECT * FROM users WHERE online = '$set'");

 

Really bad example but... you get the point

[JAY6390]

SQL Injection happens for one circumstance - when you put user given data into a query and run it without sanitizing it. ALWAYS sanitize the data by removing anything that shouldn't be in there in the first place (like non-alphanumeric characters and/or tags) and run the data through mysql_real_escape_string before inserting it into your query

Better still use something like prepared statements in mysqli

[JonnySnip3r]

Thanks guys, i think it would be better to learn msqli prepared statements Cheers!