Newbie needs help securing page against SQL Injection

[Jimzehn]

I am using the following code to display information on a web page: The variable ID is passed to this page from another page.

I received an anonymous email saying this was vulnerable to SQL Injection.

 

I am not all that proficient in PHP or MYSQL and would very much appreciate any help given in rewriting this code to protect against attacks.   

 

  <?php

$sSQLContent = "SELECT * FROM content WHERE content_page ='".$sPageName."'";

$rsc = query($sSQLContent);

if (isset($rsc))

while($rowc = fetchNext($rsc)){

echo $rowc["content_text"];

}//while

?>

    <?php

if(isset($_GET["ID"]))

$ID = $_GET["ID"];

else

$ID =0;

 

$sSQL = "SELECT * FROM Press_release WHERE ID=".$ID;

$rs = query($sSQL);

 

while($myrow = fetchNext($rs)){

?>

 

[gristoi]

you need to sanitise any data that you recieve from your url. a good starting point is mysql_real_escape_string

[Jimzehn]

Thank you Gristoi for that info.

 

In searching the term "real_escape_string" on the web, I found this function:

 

function sanitize($data)

{

// remove whitespaces (not a must though)

$data = trim($data);

 

// apply stripslashes if magic_quotes_gpc is enabled

if(get_magic_quotes_gpc())

.{

$data = stripslashes($data);

}

 

// a mySQL connection is required before using this function

$data = mysql_real_escape_string($data);

 

return $data;

}

 

and then I altered my code to read :

 

if (isset($_REQUEST['ID']))

$ID = sanitize($_REQUEST['ID']);

else

    $ID =0;

 

 

$result = query("SELECT * FROM Research_report WHERE ID=".$ID);

$myrow = fetchnext($result);

 

The results are displayed correctly, But how do I know if I am protected against attacks? Is there a test I can run?

Also, is there anything else I can do?

Thanks in advance for your help

 

[fenway]

Your DB layer should handle this for you -- otherwise, you'll forget one time.