SQL Injection!

[Masna]

Hey all! I'm currently working on a website that involves money, hopefully lots. Anyway, I NEED to protect against hackers in anyway I can, so I was wondering about...SQL Injection. How can one make SQL injections to a MySQL database, and how can I prevent it? Thanks in advance.

[Buyocat]

Escape everything you put into a query by using mysql_real_escape_string which will put slashes before quotation marks. Then when you want to use it later stripslashes it. You can read more about both those at PHP.net though I think it's fairly straightforward. Oh last thing, mysql_real_escape_string requires a database connection, just fyi.

[kenrbnsn]

Actually, I've noticed that I don't have to use stripslashes when retieving data stored using mysql_real_escape_string(). If you look at the data in the database, the backslashes used for escaping the data aren't there.

Ken

[Buyocat]

Ken, that's strange because I was justing using something and had to strip slash it in order to get rid of the slashes... wonder what is different between our systems.

[Masna]

Well...I've already integrated mysql_escape_string into everything, will that do?

[XenoPhage]

[!--quoteo(post=352303:date=Mar 6 2006, 06:10 PM:name=Buyocat)--][div class=\'quotetop\']QUOTE(Buyocat @ Mar 6 2006, 06:10 PM) [snapback]352303[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Ken, that's strange because I was justing using something and had to strip slash it in order to get rid of the slashes... wonder what is different between our systems.
[/quote]

Check get_magic_quotes_gpc() ... It may be on for you, but off for Masna.. That would explain it. :)

[wickning1]

Magic quotes are evil incarnate. I hate them with all my mind body and soul. They've confused so many young programmers. I'm lucky I started with Perl/DBI. That handles it the right way.

Magic quotes are off by default in PHP5 and that's a very good thing.