Injections.

[timmy0320]

Well first off, let me say that I've used search a lot on this topic. Google, etc. Read up on a lot of ways to stop SQL Injections. But what my question is, I have on my registration page is email formatting check, usernames are alphanumeric only, all the works. It also has inputs for a Referral, First Name, Last Name and Security Question answer. I tried injecting my site with the "common" injections that I've found through browsing. What I use is stripslashes(trim()). Until I put an "or die();" feature after the insert it just wasn't inserting the user because of my attempts to inject it. What I did was test the insertions and when I used common injections the or die(); would show. The message I put into it was "hack attempt." I tested it with other characters such as !@#$%(^&)*" and it only does the die when I actually insert an injection.

 

My question is just simple, is stripslashes(trim()); a good way to prevent injections or should I use other formatting?

 

Also, should I leave the or die(); at Hack attempt or just put Error Registering? lol....

 

$answer = stripslashes(trim($_POST['answer']));

[xenophobia]

Use:

$answer = mysql_real_escape($_POST['answer']));

[timmy0320]

Read that somewhere also. Everyones got plenty of different ways, I've seen a bunch of different things but I've been learning a lot of stuff from here and php.net by reading and you guys have the best knowledge I've seen for a forum. Thanks for the help. Anyone else have more suggestions, send em!

[Daniel0]

Use prepared statements with PDO.

[timmy0320]

Use prepared statements with PDO.

 

Sorry for the dumb question but isn't that alpha characters only? I'm still pretty new to php

[Daniel0]

No, it'll be safe for everything.

 

<?php
$pdo = new PDO('mysql:dbname=test;host=localhost', 'root', 'password');

$statement = $pdo->prepare('SELECT * FROM users WHERE username = ? LIMIT 1');

$user = $statement->execute($_GET['username'])->fetch();
?>