c_pattle Posted October 22, 2010 Share Posted October 22, 2010 I have a form that when submitted inserts the input values into a database. I was wondering what measures I can take to make sure that it is as secure a possible. Below I have added some basic code. Any help on how to modify this code to protect against injection attacks etc would be great. if(isset($_POST['form_submit'])) { $submit_sql = "insert into websites (website_name, website_description,website_url) values (\"" . $_POST['website_name'] . "\",\"" . $_POST['website_description'] . "\",\"" . $_POST['website_url'] . "\")"; $submit_rs = mysql_query($submit_sql, $mysql_conn); } Link to comment https://forums.phpfreaks.com/topic/216572-mysql-security/ Share on other sites More sharing options...
freelance84 Posted October 22, 2010 Share Posted October 22, 2010 http://www.phpfreaks.com/tutorial/php-security I found this was a very very helpful tutorial when learning Link to comment https://forums.phpfreaks.com/topic/216572-mysql-security/#findComment-1125246 Share on other sites More sharing options...
c_pattle Posted October 22, 2010 Author Share Posted October 22, 2010 Thanks. If I used the mysql_real_escape_string... it replaces any ' with \' However this is bad because if the user enters "it's" into the database it will then show up as "it\'s" or is it necessary to have this? Link to comment https://forums.phpfreaks.com/topic/216572-mysql-security/#findComment-1125280 Share on other sites More sharing options...
Pikachu2000 Posted October 22, 2010 Share Posted October 22, 2010 It doesn't actually end up in the database with the slash. The slash is recognized as an escape character, and MySQL deals with it appropriately. Link to comment https://forums.phpfreaks.com/topic/216572-mysql-security/#findComment-1125281 Share on other sites More sharing options...
c_pattle Posted October 22, 2010 Author Share Posted October 22, 2010 Thanks although when I tried it the backslashes did end up in the database. Does this mean I am doing something wrong? Link to comment https://forums.phpfreaks.com/topic/216572-mysql-security/#findComment-1125284 Share on other sites More sharing options...
Pikachu2000 Posted October 22, 2010 Share Posted October 22, 2010 Is magic_quotes_gpc set to ON in your php.ini file? Link to comment https://forums.phpfreaks.com/topic/216572-mysql-security/#findComment-1125287 Share on other sites More sharing options...
c_pattle Posted October 22, 2010 Author Share Posted October 22, 2010 yes it's set to "ON" should I change it? Also this is my code. Is this the right way to do it? if(isset($_POST['form_submit'])) { $_SESSION[website_name'] = mysql_real_escape_string($_POST['website_name'], $mysql_conn); $_SESSION['website_description'] = mysql_real_escape_string($_POST['website_description'], $mysql_conn); $_SESSION['website_url'] = mysql_real_escape_string($_POST['website_url'], $mysql_conn); $submit_sql = "insert into websites (website_name, website_description,website_url) values (\"" . $_SESSION['website_name'] . "\",\"" . $_SESSION['website_description'] . "\",\"" . $_SESSION['website_url'] . "\")"; $submit_rs = mysql_query($submit_sql, $mysql_conn); } Link to comment https://forums.phpfreaks.com/topic/216572-mysql-security/#findComment-1125289 Share on other sites More sharing options...
Pikachu2000 Posted October 22, 2010 Share Posted October 22, 2010 magic_quotes_gpc should be turned off, yes. As a minimum, you should check for it in your code if you're writing a script that needs to be as portable as possible. That way, you don't end up double-escaping things. Have a look through the examples in the documentation for get_magic_quotes_gpc(). if( get_magic_quotes_gpc() ) { // run your GET/POST/COOKIE vars through stripslashes() } Link to comment https://forums.phpfreaks.com/topic/216572-mysql-security/#findComment-1125294 Share on other sites More sharing options...
c_pattle Posted October 22, 2010 Author Share Posted October 22, 2010 Cool. Thanks for your help. Link to comment https://forums.phpfreaks.com/topic/216572-mysql-security/#findComment-1125302 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.