adrianTNT Posted September 18, 2007 Share Posted September 18, 2007 Hello. I need a bit help with understanding how to protect against SQL Injections. - Do I only need to worry about sql injections when inserting a record in database? Or when reading form database too? - Does this function protects me against injections? Or this only adds quotes next to values? Thank you. if (!function_exists("GetSQLValueString")) { function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } } Link to comment https://forums.phpfreaks.com/topic/69707-some-questions-about-sql-injections/ Share on other sites More sharing options...
btherl Posted September 18, 2007 Share Posted September 18, 2007 the mysql_real_escape_string part protects against injection. So yes that function does protect against injection. For question 1, you need to worry only about the data you specify in the query. For example, if you select by name, you must worry about injection in the name, but not in the data returned from the database. Link to comment https://forums.phpfreaks.com/topic/69707-some-questions-about-sql-injections/#findComment-350274 Share on other sites More sharing options...
adrianTNT Posted September 18, 2007 Author Share Posted September 18, 2007 So injection can be used when selecting from database too? for example site.com/templates/files.html will select and print from database listings with cat_title "templates", could a user find other data (like passwords) by using an url formated something like this? site.com/SQL select 'passwords'/files.html ? Thanks. Link to comment https://forums.phpfreaks.com/topic/69707-some-questions-about-sql-injections/#findComment-350288 Share on other sites More sharing options...
Jessica Posted September 18, 2007 Share Posted September 18, 2007 You need to worry about injection in ANY query. If not properly escaped, a SELECT can be ended and turned into an INSERT. Link to comment https://forums.phpfreaks.com/topic/69707-some-questions-about-sql-injections/#findComment-350289 Share on other sites More sharing options...
adrianTNT Posted September 18, 2007 Author Share Posted September 18, 2007 ok, then if I use mysql_real_escape_string on all the variables in the query then I am ok? Is it something else I need to worry after I convert all the strings with this function? Link to comment https://forums.phpfreaks.com/topic/69707-some-questions-about-sql-injections/#findComment-350295 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.