Jump to content


Photo

SQL Injection!


  • Please log in to reply
6 replies to this topic

#1 Masna

Masna
  • Staff Alumni
  • Advanced Member
  • 288 posts
  • LocationNew York

Posted 06 March 2006 - 10:51 PM

Hey all! I'm currently working on a website that involves money, hopefully lots. Anyway, I NEED to protect against hackers in anyway I can, so I was wondering about...SQL Injection. How can one make SQL injections to a MySQL database, and how can I prevent it? Thanks in advance.
I like LoL.

#2 Buyocat

Buyocat
  • Members
  • PipPipPip
  • Advanced Member
  • 267 posts

Posted 06 March 2006 - 10:55 PM

Escape everything you put into a query by using mysql_real_escape_string which will put slashes before quotation marks. Then when you want to use it later stripslashes it. You can read more about both those at PHP.net though I think it's fairly straightforward. Oh last thing, mysql_real_escape_string requires a database connection, just fyi.
Looking for some easy-to-use tools?  Try these, https://sourceforge....jects/utils-php -- I made them myself.  They're distinct tools which are easy to understand and use.  See some examples uses at http://www.anotherearlymorning.com

#3 kenrbnsn

kenrbnsn
  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 06 March 2006 - 11:03 PM

Actually, I've noticed that I don't have to use stripslashes when retieving data stored using mysql_real_escape_string(). If you look at the data in the database, the backslashes used for escaping the data aren't there.

Ken

#4 Buyocat

Buyocat
  • Members
  • PipPipPip
  • Advanced Member
  • 267 posts

Posted 06 March 2006 - 11:10 PM

Ken, that's strange because I was justing using something and had to strip slash it in order to get rid of the slashes... wonder what is different between our systems.
Looking for some easy-to-use tools?  Try these, https://sourceforge....jects/utils-php -- I made them myself.  They're distinct tools which are easy to understand and use.  See some examples uses at http://www.anotherearlymorning.com

#5 Masna

Masna
  • Staff Alumni
  • Advanced Member
  • 288 posts
  • LocationNew York

Posted 06 March 2006 - 11:13 PM

Well...I've already integrated mysql_escape_string into everything, will that do?
I like LoL.

#6 XenoPhage

XenoPhage
  • Members
  • PipPipPip
  • Advanced Member
  • 99 posts

Posted 07 March 2006 - 03:36 AM

[!--quoteo(post=352303:date=Mar 6 2006, 06:10 PM:name=Buyocat)--][div class=\'quotetop\']QUOTE(Buyocat @ Mar 6 2006, 06:10 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Ken, that's strange because I was justing using something and had to strip slash it in order to get rid of the slashes... wonder what is different between our systems.
[/quote]

Check get_magic_quotes_gpc() ... It may be on for you, but off for Masna.. That would explain it. :)
--
[a href=\"http://blog.godshell.com\" target=\"_blank\"]XenoPhage[/a]
[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]Something mysterious is formed, born in the silent void. Waiting alone and unmoving, it is at once still and yet in constant motion. It is the source of all programs. I do not know its name, so I will call it the Tao of Programming.[/quote]

#7 wickning1

wickning1
  • Members
  • PipPipPip
  • Advanced Member
  • 405 posts

Posted 07 March 2006 - 03:46 AM

Magic quotes are evil incarnate. I hate them with all my mind body and soul. They've confused so many young programmers. I'm lucky I started with Perl/DBI. That handles it the right way.

Magic quotes are off by default in PHP5 and that's a very good thing.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users