Results 1 to 4 of 4

Thread: [RESOLVED] sql injection (question)

  1. Feb 13th, 2010, 06:58 AM #1
    Justa Lol
    Justa Lol is offline

    Thread Starter
    Fanatic Member
    Join Date
    Jun 2008
    Posts
    1,023

    Resolved [RESOLVED] sql injection (question)

    well, since a friend of mine showed me a page he has "hacked" with sql injection, i realize how far people can get with it...

    now i want to know how to prevent sql injecting on my site, like on login/register form what do i need, and is stripslashes() and -or strip_tags() required?
    .. and maybe htmlspecialchars() in forms like guestbooks or forums, comments and so on?

    i really want to make my sites secure, how can i prevent most sql injections?
    Reply With Quote Reply With Quote
  2. Feb 13th, 2010, 07:41 AM #2
    si_the_geek
    si_the_geek is online now
    Super Moderator si_the_geek's Avatar
    Join Date
    Jul 2002
    Location
    Bristol, UK
    Posts
    41,974

    Re: sql injection (question)

    I can't help with the code etc, as I haven't used PHP enough... but for most languages the way to solve it is to use Parameters for the data, so they can only be treated as data, and not part of the query itself.

    For further explanation (including the other benefits), see the article Why should I use Parameters instead of putting values into my SQL string? from our Database Development FAQs/Tutorials (at the top of the Database Development forum).
    (Microsoft MVP from July 2007 to June 2017) . . . . . . . . . . Hitchhiker's Guide to Getting Help at VBForums

    Database Development FAQs/Tutorials (updated May 2011) (includes fixing common DB related errors, and [VB.Net] ADO.Net Tutorial, and [Classic VB] ADO tutorial /further steps)
    other useful DB bits: . Connection strings (alternative copy).. MDAC/Jet/ACE downloads .. SQL Server downloads .

    Classic VB FAQs (updated Oct 2010) (includes fixing common VB errors)
    some of my Classic VB bits: . Tutorial: How to automate Excel from VB6 (or VB5/VBA) .. SQL 'Select' statement formatter/checker .. Convert colour number to colour name .. FlexGrid: fill from recordset .. FlexGrid: AutoSize columns .. DB Reserved Words checker .
    Reply With Quote Reply With Quote
  3. Feb 13th, 2010, 11:34 AM #3
    kows
    kows is offline
    PowerPoster
    Join Date
    Sep 2003
    Location
    Edmonton, AB, Canada
    Posts
    2,629

    Re: sql injection (question)

    none of the functions you mentioned help with SQL injection.

    as si_the_geek said, using parameterized queries is the easiest and probably the best way to prevent SQL injection. this can be achieved in PHP by using the PDO or MySQLi extensions rather than the default MySQL extension. if you could choose, I would personally recommend PDO.

    using these extensions may not be possible, however, and they are a lot different from using the MySQL extension. they are object based. if you don't want to switch or are uncomfortable with switching, then there is still hope for you. it's just not the best kind of hope.

    I would suggest you read through this post that I made last year explaining in as much detail as possible how SQL injection actually works and how to prevent it using mysql_real_escape_string(), and also why magic_quotes_gpc() is an unreliable option.

    ask questions (in this thread) if you need help or are confused.
    Reply With Quote Reply With Quote
  4. Feb 14th, 2010, 03:46 AM #4
    Justa Lol
    Justa Lol is offline

    Thread Starter
    Fanatic Member
    Join Date
    Jun 2008
    Posts
    1,023

    Re: sql injection (question)

    well thanks si_the_geek and kows, i'll use mysql_real_escape_string then.

    no questions yet, so i'll mark the thread as resolved.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules


Click Here to Expand Forum to Full Width