[SOLVED] My Sql Injection!

[pkirsch]

What can i do to stop My Sql Injection? what are other things i can so to protect databases (primarily My Sql.)

 

Also what can i do to stop spam bots? (sorry, a bit off topic; just thought I'd ask!) 

[wildteen88]

To stop SQL injection use the mysql_real_escape_string function on any data that goes into a query.

[hvle]

can you give an example of sql injection?

[pkirsch]

Well i have a forum and i recently turned it off! Temporarily! (it's Invision Power Board) and because i turned it off, nobody can Register... But everyday still i have registrations! I would assume that this would be a MySQL Injection into my database!

 

Any other suggestions? If it's not MySQL injection, Then what is it?

 

  ??? 

[artacus]

Well that sounds like cross site scripting.

 

SQL Injection is something like this. User enters:

username: 1'  OR userID > 1 LIMIT 1 --

password: never read

query = SELECT * FROM users WHERE username = '1'  OR userID > 1 LIMIT 1 --'  AND password = 'never read'

 

[wildteen88]

You can still register I believe even if the forum is "turned off". This is not SQL injection. If its SQL injection then they will do far more serious things, such as delete the forums database or all databases, than register an account for your forum.

 

I would take this up with the developers of Invision Power Board if where you. Go to http://forums.invisionpower.com/ for support on this. Also I am going to move this to the Third Party support forum too due to this being a support request for IPB

[pkirsch]

Thanks guys! 

[Hypnos]

On premade PHP applications, the SQL injection prevention methods should already be there (and if there are holes, they are usually found and patched fairly quickly on mainstream scripts like Invision forums).

 

Make sure you're using the latest version of your forum.