Page 1 of 1

MySQL Injection

Posted: Tue Feb 17, 2004 8:25 am
by malcolmboston
in my quest for coding more securely and in turn better, i have been looking at ways a potential hacker could compromise my sites.

i have heard many people mention MySQL injection and would like to know possible ways to circumvent this risk

also if anyone else can think of any other common security risks employed by the hacker community, your knowledge would be invaluable

thanks
Mal

Posted: Tue Feb 17, 2004 10:04 am
by McGruff
(1) Always quote string input in db query strings.
(2) Always escape string input.
(3) Both the above will also deal with expected integer input which is not actually an integer, but it's possibly better to force type with intval().

Code: Select all

<?php
//  note the single quotes
"SELECT ..etc .. WHERE col='" . mysql_escape_string($string) . "' ...etc"

"SELECT ..etc .. WHERE col=" . intval($number) . " ...etc"

?>

Posted: Wed Feb 18, 2004 11:24 am
by malcolmboston
ty very much :lol:

Posted: Wed Feb 18, 2004 2:55 pm
by fractalvibes
This article has some good info on sql injection and ways to avoid - an ASP site but the same principles apply :

http://www.4guysfromrolla.com/webtech/112702-1.shtml

fv