[SOLVED] MySQL Injection Prevention

xProteuSx · December 4, 2007

I am looking to prevent MySQL injection attacks on my site. I was wondering if this is the correct way of doing things. I cannot get this to work ...

Here is the original code:

--------------------------------------------------------------------------------------------------------------------------

$loginhandle = $_POST['username'];

$loginpassword = $_POST['password'];

include ("include/db.php");

$query = "SELECT * FROM users WHERE users_handle = '$loginhandle' AND users_password = '$loginpassword'";

$userstatsresult = mysql_query($query) or die ('Error in query 0: ' . mysql_error());

--------------------------------------------------------------------------------------------------------------------------

My understanding is that I have to do the following:

--------------------------------------------------------------------------------------------------------------------------

$loginhandle = mysql_real_escape_string($_POST['username']);

$loginpassword = mysql_real_escape_string($_POST['password']);

include ("include/db.php");

$query = "SELECT * FROM users WHERE users_handle = '$loginhandle' AND users_password = '$loginpassword'";

$userstatsresult = mysql_query($query) or die ('Error in query 0: ' . mysql_error());

--------------------------------------------------------------------------------------------------------------------------

However, this does not work. The original code executes correctly, and I can log in. However, after I add the mysql_real_escape_string() functions I get a series of errors:

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'username@'server' (using password: NO) in /loginconf.php on line 25

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in loginconf.php on line 25

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'username@'server' (using password: NO) in /loginconf.php on line 26

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /loginconf.php on line 26

Any reason why this would bugger up the connection code?

cooldude832 · December 4, 2007

any mysql function (include escape string) have to be made after a connection is made.

But you shouldn't put raw post or get data into a database ever

Dane · December 4, 2007

So he is right in saying that..

mysql_real_escape_string($_POST['whatever']);

WILL prevent a mysql injection?

Because at the moment thats what im using, just wanna know if there is anything better, or do anything differently to prevent this?

Thanks

xProteuSx · December 4, 2007

Booya - Kasha! Thanks 'cooldude832'! Just had to change the order of things. Solved it by doing this;

$loginhandle = $_POST['username'];

$loginpassword = $_POST['password'];

include ("include/db.php");

$loginhandle = mysql_real_escape_string($loginhandle);

$loginpassword = mysql_real_escape_string($loginpassword);

Just had to do the mysql_real_escape_string() nonsense following the inclusion of db.php.

revraz · December 4, 2007

It will surely help prevent it.

So he is right in saying that..

mysql_real_escape_string($_POST['whatever']);

WILL prevent a mysql injection?

Because at the moment thats what im using, just wanna know if there is anything better, or do anything differently to prevent this?

Thanks

Sign In

[SOLVED] MySQL Injection Prevention

Recommended Posts

xProteuSx

Link to comment

Share on other sites

cooldude832

Link to comment

Share on other sites

Dane

Link to comment

Share on other sites

xProteuSx

Link to comment

Share on other sites

revraz

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information