Comment protection against sql injection help need to be secure!

Minimeallolla · November 7, 2010

<?php

include ("database.php");

// show comments

$result = mysql_query("SELECT * FROM gamecomments");

while($row = mysql_fetch_array($result))

{

echo $row['username'] . ": <Br> " . $row['comment'];

echo "<p>";

}

ini_set ("display_errors", "1");

error_reporting(E_ALL);

if (isset($_POST['submit'])) {

// now we insert it into the database

$insert = "INSERT INTO gamecomments (username, comment)

VALUES ('[$username]', '$_POST[comment]')";

$add_comment = mysql_query($insert);

{

echo "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=games.php\">";

}

Minimeallolla · November 7, 2010

Would this work or something like this? need help still \=

<?php
include ("database.php");
// show comments
$result = mysql_query("SELECT * FROM gamecomments");
while($row = mysql_fetch_array($result))
  {
  echo addslashes($row['username']) . ": <Br> " . addslashes($row['comment']);
  echo "<p>";
}
      ini_set ("display_errors", "1");
      error_reporting(E_ALL);
      

      
      if (isset($_POST['submit'])) {
         
      	$username = real_escape_string($username);
		$_POST['comment'] = real_escape_String($comment);
         
           // now we insert it into the database
   $insert = "INSERT INTO gamecomments (username, comment)
   VALUES ('[$username]', '$_POST[comment]')";

   $add_comment = mysql_query($insert);
{
echo "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=games.php\">";
  }
}
[code]

KevinM1 · November 7, 2010

Don't use addslashes. And what is real_escape_string supposed to be? Use mysql_real_escape_string on string data you want to insert into the db, or better yet, use MySQLi and parameterized statements.

Minimeallolla · November 7, 2010

sorry, im really tired \= so just that like? will prevent sql injection? and protect everything?

<?php
include ("database.php");
// show comments
$result = mysql_query("SELECT * FROM gamecomments");
while($row = mysql_fetch_array($result))
  {
  echo ($row['username']) . ": <Br> " . ($row['comment']);
  echo "<p>";
}
      ini_set ("display_errors", "1");
      error_reporting(E_ALL);
      

      
      if (isset($_POST['submit'])) {
         
         $username = mysql_real_escape_string($username);
		$_POST['comment'] = mysql_real_escape_string($comment);

           // now we insert it into the database
   $insert = "INSERT INTO gamecomments (username, comment)
   VALUES ('[$username]', '$_POST[comment]')";

   $add_comment = mysql_query($insert);
{
echo "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=games.php\">";
  }
}

KevinM1 · November 7, 2010

Where does $username come from? Echoing row data isn't the same as constructing a variable. Also, your assignment statement dealing with the comments is backwards.

The escape function will protect you from injection, but you should validate all incoming data. When you display your comments, you'll need to combat against unwanted HTML and XSS attacks.

Sign In

Comment protection against sql injection help need to be secure!

Recommended Posts

Minimeallolla

Link to comment

Share on other sites

Minimeallolla

Link to comment

Share on other sites

KevinM1

Link to comment

Share on other sites

Minimeallolla

Link to comment

Share on other sites

KevinM1

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information