Jump to content

[SOLVED] Trying to avoid SQL injections

rondog

By rondog
in PHP Coding Help

Recommended Posts

rondog Advanced Member

rondog

Posted
Posted

I have been reading up on SQL injections and found solutions as to use mysql_real_escape and mysql_escape..

 

I have two questions:

 

1. Which is better to use?

 

2. Ive looked at the examples on php.net, but cant really understand them. Am I running mysql_real_escape on the username and password field or the mysql_query? Can someone show a basic query example and kind of explain for me. I would really appreciate it. Thanks!

Link to comment
https://forums.phpfreaks.com/topic/76409-solved-trying-to-avoid-sql-injections/
Share on other sites
roopurt18 Advanced Member

roopurt18

Posted
Posted

1) Use mysql_real_escape_string()

 

2) You do not run it on the entire query.  You do run it on any and every bit of data you receive from the user that you use in a query.

 

$uname = mysql_real_escape_string($_POST['uname']);
$pass = mysql_real_escape_string($_POST['pass']);
$sql = "
  SELECT * FROM `users` WHERE `uname`='{$uname}' AND `pass`='{$pass}'
";
$q = mysql_query();

 

You should also note that if magic quotes is on, you first need to stripslashes().

The manual has examples of doing so:

http://www.php.net/mysql_real_escape_string

atlanta Member

atlanta

Posted
Posted

Well basically what happens is a person can enter ' or '1=1''

which is telling the query to blank the password but 1=1 so go on with the process. using mysql_real_escape_string will escape these characters adding \ i believe to the input so that the users input cant execute any malicious code.

 

understand that?

 

you can read about it here

http://www.securiteam.com/securityreviews/5DP0N1P76E.html

atlanta Member

atlanta

Posted
Posted

Thanks guys. I understand now ;)

 

@roopurt18: How do I know if magic quotes is on or off?

 

You can add this to a php file and see what it outputs

<?php
if (get_magic_quotes_gpc()==1) {

echo ( "Magic quotes gpc is on" );

} else {

echo ( "Magic quotes gpc is off" );

}

?>

roopurt18 Advanced Member

roopurt18

Posted
Posted

rondog; rather than just flat out tell you, I'm going to teach you to be resourceful.  Here again is the link I gave you above:

http://www.php.net/mysql_real_escape_string

 

That's a lot of reading, so press ctrl+f on your keyboard to bring up the find window for your browser and search for the term 'magic'

 

Should take you right to it.  :D

rondog Advanced Member

rondog

Posted
  • Author
Posted

rondog; rather than just flat out tell you, I'm going to teach you to be resourceful.  Here again is the link I gave you above:

http://www.php.net/mysql_real_escape_string

 

That's a lot of reading, so press ctrl+f on your keyboard to bring up the find window for your browser and search for the term 'magic'

 

Should take you right to it.  :D

 

I've been to that page and dont understand it. I dont have time to teach myself. This is something that has a deadline and must be done as soon as possible. I've taught myself almost everything I know and PHP being the newest language I know, their is still a plethora of functions that I dont even know exist..like magic quotes.

 

I do appreciate you wanting me to teach myself, but unfortunately time doesn't allow me at the moment.

 

@atlanta: turns out its off. thanks =]

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.