seb hughes Posted May 17, 2007 Share Posted May 17, 2007 Im curious how you guys stop/prevent mysql injectiong, post your ways here Quote Link to comment Share on other sites More sharing options...
Orio Posted May 17, 2007 Share Posted May 17, 2007 http://www.google.com/search?hl=en&q=php+mysql+injection&btnG=Google+Search Orio. Quote Link to comment Share on other sites More sharing options...
seb hughes Posted May 17, 2007 Author Share Posted May 17, 2007 I can use google, But im wondering, WHAT your method is, not googles search method. Quote Link to comment Share on other sites More sharing options...
flappy_warbucks Posted May 17, 2007 Share Posted May 17, 2007 its different depending on the script. i just look at ways in which data can find its way into the script, and that is filtered down to the point it cant be a SQL statement... for example. if you had a member website for example, instead of passing the users user-name on the site in hidden fields and cookies, you could pass the member ID number, that way when the script comes to call on the information in the database its looking for a numeric varible, and that can be filtered in the script quickly and easily... obviously you dont make a members website and only have the users member number as a way of finding out who they are, but thats the general jift of it. you get the idea Quote Link to comment Share on other sites More sharing options...
seb hughes Posted May 17, 2007 Author Share Posted May 17, 2007 What php functions do you guys you, should I say aswell. Quote Link to comment Share on other sites More sharing options...
cmgmyr Posted May 17, 2007 Share Posted May 17, 2007 This will help you a lot $output = mysql_real_escape_string($input); Quote Link to comment Share on other sites More sharing options...
seb hughes Posted May 17, 2007 Author Share Posted May 17, 2007 This will help you a lot $output = mysql_real_escape_string($input); What about this on input? or Quote Link to comment Share on other sites More sharing options...
cmgmyr Posted May 17, 2007 Share Posted May 17, 2007 $name = $_POST['name']; $safe_name = mysql_real_escape_string($name); Quote Link to comment Share on other sites More sharing options...
Lumio Posted May 17, 2007 Share Posted May 17, 2007 mysql_real_escape_string('text to get ecaped'); helps. But not as well. Better: Create a file and name it global.php (or something else) And now write the following lines into it: <?php /* When magic_quotes are on, every date form the outside gets escaped. So we strip it to do that by our own */ if (get_magic_quotes_gpc()) { $_POST = array_map('stripslashesinarray', $_POST); $_GET = array_map('stripslashesinarray', $_GET); $_COOKIE = array_map('stripslashesinarray', $_COOKIE); $_REQUEST = array_map('stripslashesinarray', $_REQUEST); } function stripslashesinarray($value) { return (is_array($value) ? array_map('stripslashesinarray', $value):stripslashes($value)); } function real_escape($value) { return (empty($value)) ? "''":is_string($value) ? "'".addslashes($value)."'":$value; } ?> Now include that file on the top of every oder file. For example: <?php require_once './config.php'; require_once './global.php'; mysql_query('SELECT `column1` FROM `table` WHERE `column2` = '.real_escape($_GET['column2']).' LIMIT 1;'); // and so on... ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.