Question and Answer: What is SQL Injection? How do I prevent it?

[kratsg]

SQL Injection could represent the following:

 

 

How to prevent: (this is a simple function that will always clean your strings, that I've always used)

 

function sanitize($value)
{
    //if I remember, if it was on, it automatically added slashes, so we needed to remove those slashes first
    if( get_magic_quotes_gpc() )
    {
          $value = stripslashes($value);
    }
    //newer versions of PHP have this awesome function (which handles it all for you)
    if(function_exists("mysql_real_escape_string"))
    {
          $value = mysql_real_escape_string($value);
    }
    //use addslashes for older PHP versions I believe
    else
    {
          $value = addslashes($value);
    }
    return $value;
}

 

I forgot where I get this from, but I've always stuck it in a class, called it to clean a string, and store in database.

 

Any comments, questions, suggestions? I've always been asked about how to prevent SQL injection, or what it is. So I'd figure I post something about it to help anyone who's lost on adding security to their PHP stuff :-)

[StormTheGates]

Or just turn on magic quotes?

[kratsg]

@StormTheGates

 

magic_quotes is becoming depreciated, in my point of view. In fact, the reason being you could never know the format of the string you're handling, as it defaults it for you. However, the mysql_real_escape_string() is a new function being released that does the job a helluva lot better. (I suggest using the latter, older php versions will probably need to stick with addslashes//magic_quotes)

[dbo]

Magic quotes causes more problems than it fixes and should not be trusted. Furthermore it will not be in PHP6.

[kratsg]

Magic quotes causes more problems than it fixes and should not be trusted. Furthermore it will not be in PHP6.

 

What he said xD