Jump to content

Preventing MySQL Injection

seb hughes

By seb hughes
in PHP Coding Help

 Share

Recommended Posts

flappy_warbucks Newbie

flappy_warbucks

Posted
Posted

its different depending on the script.

 

i just look at ways in which data can find its way into the script, and that is filtered down to the point it cant be a SQL statement...

 

for example.

 

if you had a member website for example, instead of passing the users user-name on the site in hidden fields and cookies, you could pass the member ID number, that way when the script comes to call on the information in the database its looking for a numeric varible, and that can be filtered in the script quickly and easily...

 

obviously you dont make a members website and only have the users member number as a way of finding out who they are, but thats the general jift of it.

 

you get the idea :)

Lumio Member

Lumio

Posted
Posted 

mysql_real_escape_string('text to get ecaped');

helps.

But not as well.

Better:

Create a file and name it global.php (or something else)

And now write the following lines into it:

<?php
/* When magic_quotes are on, every
    date form the outside gets escaped.
    So we strip it to do that by our own */

if (get_magic_quotes_gpc()) {
	$_POST = array_map('stripslashesinarray', $_POST);
	$_GET = array_map('stripslashesinarray', $_GET);
	$_COOKIE = array_map('stripslashesinarray', $_COOKIE);
	$_REQUEST = array_map('stripslashesinarray', $_REQUEST);
}

function stripslashesinarray($value) {
	return (is_array($value) ? array_map('stripslashesinarray', $value):stripslashes($value));
}

function real_escape($value) {
	return (empty($value)) ? "''":is_string($value) ? "'".addslashes($value)."'":$value;
}
?>

Now include that file on the top of every oder file. For example:

<?php
require_once './config.php';
require_once './global.php';

mysql_query('SELECT `column1` FROM `table` WHERE `column2` = '.real_escape($_GET['column2']).' LIMIT 1;');
// and so on...
?>

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.