MySQL Injection

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

MySQL Injection

Post by malcolmboston »

in my quest for coding more securely and in turn better, i have been looking at ways a potential hacker could compromise my sites.

i have heard many people mention MySQL injection and would like to know possible ways to circumvent this risk

also if anyone else can think of any other common security risks employed by the hacker community, your knowledge would be invaluable

thanks
Mal
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

(1) Always quote string input in db query strings.
(2) Always escape string input.
(3) Both the above will also deal with expected integer input which is not actually an integer, but it's possibly better to force type with intval().

Code: Select all

<?php
//  note the single quotes
"SELECT ..etc .. WHERE col='" . mysql_escape_string($string) . "' ...etc"

"SELECT ..etc .. WHERE col=" . intval($number) . " ...etc"

?>
Last edited by McGruff on Tue Aug 09, 2005 5:35 pm, edited 1 time in total.
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

ty very much :lol:
fractalvibes
Forum Contributor
Posts: 335
Joined: Thu Sep 26, 2002 6:14 pm
Location: Waco, Texas

Post by fractalvibes »

This article has some good info on sql injection and ways to avoid - an ASP site but the same principles apply :

http://www.4guysfromrolla.com/webtech/112702-1.shtml

fv
Post Reply