How to prevent SQL injections? - Webmaster Forum - Web Design, Programming and SEO forums

02-28-2007, 06:36 PM

Sam Granger

Status: Request a custom title
Join date: Feb 2005
Location: The Netherlands
Expertise:
Software:

Posts: 2,616

iTrader: 19 / 88%

Sam Granger is on a distinguished road

How to prevent SQL injections?

How can you prevent SQL injections? I've heard the best way is not to use variables in SQL queries but isn't this really hard to achieve when making a complex script?

02-28-2007, 06:38 PM

Sam Granger

Status: Request a custom title
Join date: Feb 2005
Location: The Netherlands
Expertise:
Software:

Posts: 2,616

iTrader: 19 / 88%

Sam Granger is on a distinguished road

Whoops,s orry should of done a bit more research! Found info, please close topic.

02-28-2007, 07:50 PM

localhost

Status: Dediport Hosting
Join date: Jul 2006
Location: Berkshire
Expertise: programming, business
Software: Dreamweaver

Posts: 1,316

iTrader: 17 / 100%

localhost is on a distinguished road

Tell your answer then other people can know at least..

02-28-2007, 08:08 PM

Xuxa

Status: Request a custom title
Join date: Feb 2006
Location: USA
Expertise:
Software:

Posts: 1,076

iTrader: 17 / 95%

Xuxa is on a distinguished road

You can use magic quotes....

02-28-2007, 09:16 PM

bluesaga

Status: Member
Join date: Feb 2007
Location:
Expertise:
Software:

Posts: 137

iTrader: 1 / 100%

bluesaga is on a distinguished road

PHP Code:


			
function return_mysql_entry($var)

{

    if(gettype($var) != "integer")

        return "'".mysql_escape_string($var)."'";

    else

        return $var;

}



//Usage

$name = $_GET['name'];

$query = "SELECT * FROM table WHERE name=".return_mysql_entry($name);

02-28-2007, 09:48 PM

Xi0s

Status: Sin Binner
Join date: Dec 2006
Location: Huddersfield, UK
Expertise:
Software:

Posts: 384

iTrader: 3 / 83%

Xi0s is on a distinguished road

bluesaga has it there, mysql_escape_string() is the way forward

02-28-2007, 09:49 PM

prasunsen

Status: Junior Member
Join date: Dec 2006
Location:
Expertise:
Software:

Posts: 52

iTrader: 0 / 0%

prasunsen is on a distinguished road

I use mysql_real_escape_string and always put in quotes the arguments which might come from user input

02-28-2007, 10:18 PM

Xuxa

Status: Request a custom title
Join date: Feb 2006
Location: USA
Expertise:
Software:

Posts: 1,076

iTrader: 17 / 95%

Xuxa is on a distinguished road

I use OOP which uses Magic Quotes

02-28-2007, 10:39 PM

RaZoR^

Status: Member
Join date: Feb 2006
Location:
Expertise:
Software:

Posts: 191

iTrader: 1 / 100%

RaZoR^ is on a distinguished road

What does OOP have to do with escaping characters in HTTP strings? :s

Code:

<?php

// If magic quotes are enabled, strip slashes from all user data
function stripslashes_recursive($var) {
	return (is_array($var) ? array_map('stripslashes_recursive', $var) : stripslashes($var));
}

if (get_magic_quotes_gpc()) {
	$_GET = stripslashes_recursive($_GET);
	$_POST = stripslashes_recursive($_POST);
	$_COOKIE = stripslashes_recursive($_COOKIE);
}

?>

(Source: http://snippets.dzone.com/posts/show/324).

02-28-2007, 10:59 PM

#10

Andrew R

Status: Request a custom title
Join date: Dec 2005
Location: Arizona
Expertise:
Software:

Posts: 5,200

iTrader: 17 / 95%

Andrew R is on a distinguished road

mysql_real_escape_string()

There are no other functions needed.