Jump to content


Photo

PHP MySQL Injection threat.


  • Please log in to reply
4 replies to this topic

#1 jamesmiddz

jamesmiddz
  • New Members
  • Pip
  • Newbie
  • 6 posts

Posted 14 September 2006 - 01:23 PM

Hi, can anyone tell me how I could prevent data injection into the following code?

<?php
include("connect.php");
$name = $_POST['name'];
$address = $_POST['address'];
$tel = $_POST['tel'];

$query = "INSERT INTO people (id, name, address, tel)
VALUES ('', '$name', '$address', '$tel')";

$results = mysql_query($query) or die
("Could not execute query : $query." . mysql_error());

if ($results)
{
echo "Details added.";
}
?>

James
Online PHP MySQL generator
http://www.turningtu...l_php_generator
Holidays in the UK and Ireland
http://www.shmootcase.co.uk

#2 gerkintrigg

gerkintrigg
  • Members
  • PipPipPip
  • Magician
  • 828 posts
  • LocationBristol, UK
  • Age:37

Posted 14 September 2006 - 01:28 PM

Use get variables instead?
Neil Trigger - http://www.ghostlypublishing.co.uk - Ghostly Publishing - Children's Fantasy Books

#3 jamesmiddz

jamesmiddz
  • New Members
  • Pip
  • Newbie
  • 6 posts

Posted 14 September 2006 - 01:32 PM

Hi gerkintrigg,

Thanks for the reply. The original strings data would be passed from a form. Would GET protect from data injections?

James
Online PHP MySQL generator
http://www.turningtu...l_php_generator
Holidays in the UK and Ireland
http://www.shmootcase.co.uk

#4 effigy

effigy
  • Staff Alumni
  • Advanced Member
  • 3,600 posts
  • LocationIL

Posted 14 September 2006 - 01:50 PM

See MySQL's real_escape_string.
Regexp | Unicode Article | Letter Database
/\A(e)?((1)?ff(?:(?:ig)?y)?|f(?:ig)?)\z/

#5 jamesmiddz

jamesmiddz
  • New Members
  • Pip
  • Newbie
  • 6 posts

Posted 14 September 2006 - 01:52 PM

Thanks ;)

Most certainly will do.

James
Online PHP MySQL generator
http://www.turningtu...l_php_generator
Holidays in the UK and Ireland
http://www.shmootcase.co.uk




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users