in my quest for coding more securely and in turn better, i have been looking at ways a potential hacker could compromise my sites.
i have heard many people mention MySQL injection and would like to know possible ways to circumvent this risk
also if anyone else can think of any other common security risks employed by the hacker community, your knowledge would be invaluable
thanks
Mal
MySQL Injection
Moderator: General Moderators
-
malcolmboston
- DevNet Resident
- Posts: 1826
- Joined: Tue Nov 18, 2003 1:09 pm
- Location: Middlesbrough, UK
(1) Always quote string input in db query strings.
(2) Always escape string input.
(3) Both the above will also deal with expected integer input which is not actually an integer, but it's possibly better to force type with intval().
(2) Always escape string input.
(3) Both the above will also deal with expected integer input which is not actually an integer, but it's possibly better to force type with intval().
Code: Select all
<?php
// note the single quotes
"SELECT ..etc .. WHERE col='" . mysql_escape_string($string) . "' ...etc"
"SELECT ..etc .. WHERE col=" . intval($number) . " ...etc"
?>
Last edited by McGruff on Tue Aug 09, 2005 5:35 pm, edited 1 time in total.
-
malcolmboston
- DevNet Resident
- Posts: 1826
- Joined: Tue Nov 18, 2003 1:09 pm
- Location: Middlesbrough, UK
-
fractalvibes
- Forum Contributor
- Posts: 335
- Joined: Thu Sep 26, 2002 6:14 pm
- Location: Waco, Texas
This article has some good info on sql injection and ways to avoid - an ASP site but the same principles apply :
http://www.4guysfromrolla.com/webtech/112702-1.shtml
fv
http://www.4guysfromrolla.com/webtech/112702-1.shtml
fv