xProteuSx Posted December 4, 2007 Share Posted December 4, 2007 I am looking to prevent MySQL injection attacks on my site. I was wondering if this is the correct way of doing things. I cannot get this to work ... Here is the original code: -------------------------------------------------------------------------------------------------------------------------- $loginhandle = $_POST['username']; $loginpassword = $_POST['password']; include ("include/db.php"); $query = "SELECT * FROM users WHERE users_handle = '$loginhandle' AND users_password = '$loginpassword'"; $userstatsresult = mysql_query($query) or die ('Error in query 0: ' . mysql_error()); -------------------------------------------------------------------------------------------------------------------------- My understanding is that I have to do the following: -------------------------------------------------------------------------------------------------------------------------- $loginhandle = mysql_real_escape_string($_POST['username']); $loginpassword = mysql_real_escape_string($_POST['password']); include ("include/db.php"); $query = "SELECT * FROM users WHERE users_handle = '$loginhandle' AND users_password = '$loginpassword'"; $userstatsresult = mysql_query($query) or die ('Error in query 0: ' . mysql_error()); -------------------------------------------------------------------------------------------------------------------------- However, this does not work. The original code executes correctly, and I can log in. However, after I add the mysql_real_escape_string() functions I get a series of errors: Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'username@'server' (using password: NO) in /loginconf.php on line 25 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in loginconf.php on line 25 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'username@'server' (using password: NO) in /loginconf.php on line 26 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /loginconf.php on line 26 Any reason why this would bugger up the connection code? Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted December 4, 2007 Share Posted December 4, 2007 any mysql function (include escape string) have to be made after a connection is made. But you shouldn't put raw post or get data into a database ever Quote Link to comment Share on other sites More sharing options...
Dane Posted December 4, 2007 Share Posted December 4, 2007 So he is right in saying that.. mysql_real_escape_string($_POST['whatever']); WILL prevent a mysql injection? Because at the moment thats what im using, just wanna know if there is anything better, or do anything differently to prevent this? Thanks Quote Link to comment Share on other sites More sharing options...
xProteuSx Posted December 4, 2007 Author Share Posted December 4, 2007 Booya - Kasha! Thanks 'cooldude832'! Just had to change the order of things. Solved it by doing this; $loginhandle = $_POST['username']; $loginpassword = $_POST['password']; include ("include/db.php"); $loginhandle = mysql_real_escape_string($loginhandle); $loginpassword = mysql_real_escape_string($loginpassword); Just had to do the mysql_real_escape_string() nonsense following the inclusion of db.php. Quote Link to comment Share on other sites More sharing options...
revraz Posted December 4, 2007 Share Posted December 4, 2007 It will surely help prevent it. So he is right in saying that.. mysql_real_escape_string($_POST['whatever']); WILL prevent a mysql injection? Because at the moment thats what im using, just wanna know if there is anything better, or do anything differently to prevent this? Thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.