eddy556 Posted November 23, 2006 Share Posted November 23, 2006 What is the best way to prevent SQL injection into a username/password form? I have tried to use functions which check through the string for certain keywords (insert etc) but I don't beleive this is the best way.Thanks Link to comment https://forums.phpfreaks.com/topic/28230-php-sql-injection/ Share on other sites More sharing options...
onlyican Posted November 23, 2006 Share Posted November 23, 2006 I have created a function, which secures everything[code]<?phpfunction MakeSafe($str, $lower = false){ if($make_lower){ $str = strtolower($str); } $str = stripslashes($str); $str = trim($str); $str = strip_tags($str); $str = mysql_real_escape_string($str); return $str; }?>$username = MakeSafe($_POST["username"], 1);//This makes the username safe, and lowercase$sometextfield = MakeSafe($_POST["sometextfield"]);This makes sometextfield safe, but keeping the original Caps[/code] Link to comment https://forums.phpfreaks.com/topic/28230-php-sql-injection/#findComment-129123 Share on other sites More sharing options...
kenrbnsn Posted November 23, 2006 Share Posted November 23, 2006 You have an error in your function. The line[code]<?php if($make_lower){?>[/code]should be[code]<?php if($lower){?>[/code]Ken Link to comment https://forums.phpfreaks.com/topic/28230-php-sql-injection/#findComment-129126 Share on other sites More sharing options...
alpine Posted November 23, 2006 Share Posted November 23, 2006 Just as a notice to mysql_real_escape_string() It won't work unless you have an open db connection at the time it's called.so this won't work[code]<?php$string = mysql_real_escape_string($string);mysql_connect($host, $user, $password);?>[/code]but this works:[code]<?phpmysql_connect($host, $user, $password);$string = mysql_real_escape_string($string);?>[/code] Link to comment https://forums.phpfreaks.com/topic/28230-php-sql-injection/#findComment-129130 Share on other sites More sharing options...
onlyican Posted November 23, 2006 Share Posted November 23, 2006 yes, but if you do this before you want to add to a DB then you open your connection before calling this functionIf your not connection to a DB, then you dont need to make safe for SQL-Injectionand with regards to the error, sorry that was a typo Link to comment https://forums.phpfreaks.com/topic/28230-php-sql-injection/#findComment-129154 Share on other sites More sharing options...
alpine Posted November 23, 2006 Share Posted November 23, 2006 [quote]If your not connection to a DB, then you dont need to make safe for SQL-Injection[/quote]sure, but some folks out there prefer to connect and select db after all validations are passed and ok Link to comment https://forums.phpfreaks.com/topic/28230-php-sql-injection/#findComment-129196 Share on other sites More sharing options...
ataria Posted November 23, 2006 Share Posted November 23, 2006 This is what I use for SQL injection..[code]<?phpfunction protect($input){$input = mysql_real_escape_string($input);$input = eregi_replace("%","",$input);$input = eregi_replace("--","",$input);$input =htmlspecialchars(mysql_real_escape_string($input));return $input;}$_COOKIE = array_map("protect",$_COOKIE);array_map('mysql_real_escape_string', $_POST);array_map('mysql_real_escape_string', $_GET);?>[/code](the DB connection is above, but, I just took out this part.. and put in the php tags so it's less on the eyes) Link to comment https://forums.phpfreaks.com/topic/28230-php-sql-injection/#findComment-129198 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.