undertaker Posted May 26, 2011 Share Posted May 26, 2011 How can you protect mysql injection? (from inserting different statements into the input field) Thanks Quote Link to comment Share on other sites More sharing options...
Maq Posted May 26, 2011 Share Posted May 26, 2011 How can you protect mysql injection? (from inserting different statements into the input field) Thanks Wow, I copied your question into Google and got thousands of relevant results, imagine that. Quote Link to comment Share on other sites More sharing options...
Philip Posted May 26, 2011 Share Posted May 26, 2011 Wow, I copied your question into Google and got thousands of relevant results, imagine that. What is this magical "Google" you speak of?! Quote Link to comment Share on other sites More sharing options...
Maq Posted May 26, 2011 Share Posted May 26, 2011 Wow, I copied your question into Google and got thousands of relevant results, imagine that. What is this magical "Google" you speak of?! http://tinyurl.com/6oh56d Quote Link to comment Share on other sites More sharing options...
cssfreakie Posted May 26, 2011 Share Posted May 26, 2011 Wow, I copied your question into Google and got thousands of relevant results, imagine that. are you serious? i got this: maybe i made a typo. *sorry for trolling this just asked for it Quote Link to comment Share on other sites More sharing options...
jcbones Posted May 27, 2011 Share Posted May 27, 2011 Ah, you found Maq's pic! Quote Link to comment Share on other sites More sharing options...
dadamssg87 Posted May 27, 2011 Share Posted May 27, 2011 i'm redditor...was definitely about to upvote all your comments haha Quote Link to comment Share on other sites More sharing options...
Maq Posted May 27, 2011 Share Posted May 27, 2011 Ah, you found Maq's pic! cssfreakie.... how many times do I have to tell you, the pics I send you are strictly for personal pleasure. That's it! Quote Link to comment Share on other sites More sharing options...
dougjohnson Posted May 27, 2011 Share Posted May 27, 2011 The best way to protect against MySQL injections in php is to use "Prepared" statements. You don't need to validate the user input since it is completely separated from the mysql statement. Example: $connection = new mysqli('server', 'username', 'password', 'database'); $result = $connection->prepare("SELECT products, usertype, special_pricing_user, special_pricing, pcconly FROM users WHERE username = ?"); $result->bind_param("s", $username); $result->execute(); $result->bind_result($userproducts, $usertype, $special_pricing_user, $special_pricing, $pcconly); while ($row = $result->fetch()) { // } Quote Link to comment Share on other sites More sharing options...
cssfreakie Posted May 27, 2011 Share Posted May 27, 2011 another way could be to use mysql_real_escape_string or the newer mysqli_real_escape_string to sanitize the values before entering. although i am more a fan of prepared statements Quote Link to comment Share on other sites More sharing options...
Bl4ckMaj1k Posted May 27, 2011 Share Posted May 27, 2011 The best way to protect against MySQL injections in php is to use "Prepared" statements. You don't need to validate the user input since it is completely separated from the mysql statement. Example: $connection = new mysqli('server', 'username', 'password', 'database'); $result = $connection->prepare("SELECT products, usertype, special_pricing_user, special_pricing, pcconly FROM users WHERE username = ?"); $result->bind_param("s", $username); $result->execute(); $result->bind_result($userproducts, $usertype, $special_pricing_user, $special_pricing, $pcconly); while ($row = $result->fetch()) { // } For us Noobs, can someone please break down what's going on in this form?? (in Lamens terms?) Quote Link to comment Share on other sites More sharing options...
blew Posted May 28, 2011 Share Posted May 28, 2011 The best way to protect against MySQL injections in php is to use "Prepared" statements. You don't need to validate the user input since it is completely separated from the mysql statement. Example: $connection = new mysqli('server', 'username', 'password', 'database'); $result = $connection->prepare("SELECT products, usertype, special_pricing_user, special_pricing, pcconly FROM users WHERE username = ?"); $result->bind_param("s", $username); $result->execute(); $result->bind_result($userproducts, $usertype, $special_pricing_user, $special_pricing, $pcconly); while ($row = $result->fetch()) { // } For us Noobs, can someone please break down what's going on in this form?? (in Lamens terms?) Prepared Statements is just for PDO connections its better to use it than connecting straight to mysql in the beginning, its harder to use than mysql, but then its really easy, and safer http://www.php.net/manual/en/book.pdo.php for more informations google -> PHP PDO ftw Quote Link to comment Share on other sites More sharing options...
Maq Posted May 30, 2011 Share Posted May 30, 2011 In addition to the above: // Create a new mysqli object which is an interface to be specific $connection = new mysqli('server', 'username', 'password', 'database'); // Invoke the prepare() method with the 'prepared' query string $result = $connection->prepare("SELECT products, usertype, special_pricing_user, special_pricing, pcconly FROM users WHERE username = ?"); // Bind $username to the '?' value field that you see above $result->bind_param("s", $username); // Execute the query $result->execute(); // Fetch the results into the $result array $result->bind_result($userproducts, $usertype, $special_pricing_user, $special_pricing, $pcconly); // Loop through the results while ($row = $result->fetch()) { // } If that's too layman for you, then ask for specifics. Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted May 30, 2011 Share Posted May 30, 2011 The best way to protect against MySQL injections in php is to use "Prepared" statements. You don't need to validate the user input since it is completely separated from the mysql statement. Example: $connection = new mysqli('server', 'username', 'password', 'database'); $result = $connection->prepare("SELECT products, usertype, special_pricing_user, special_pricing, pcconly FROM users WHERE username = ?"); $result->bind_param("s", $username); $result->execute(); $result->bind_result($userproducts, $usertype, $special_pricing_user, $special_pricing, $pcconly); while ($row = $result->fetch()) { // } For us Noobs, can someone please break down what's going on in this form?? (in Lamens terms?) Prepared Statements is just for PDO connections its better to use it than connecting straight to mysql in the beginning, its harder to use than mysql, but then its really easy, and safer http://www.php.net/manual/en/book.pdo.php for more informations google -> PHP PDO ftw And for MySQLi, which is what the code example shows.... Quote Link to comment Share on other sites More sharing options...
dougjohnson Posted May 31, 2011 Share Posted May 31, 2011 Take a look at this: http://php.net/manual/en/mysqli.prepare.php What's going on here is the ?'s are place holders for the actual user variable input. The bind_param "maps" the input to the corresponding "?" placeholder. The binding "s" is for alphanumeric input, "i" would be for numeric and there are a couple other types see the link above. The bind_result loads up the resulting values from the prepared mysql statement. At first all of this is a pain, but after a while it's ok and you don't have to worry about injections. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.