SQL Injection

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
amir
Forum Contributor
Posts: 287
Joined: Sat Oct 07, 2006 4:28 pm

SQL Injection

Post by amir »

Hello All!
I have read some SQL Injections articles but i am still confused about

-> what is SQL Injection
-> How can it be dangerous
-> How to avoid it

Very very thankful if you could provide me some good examples.
_ca_
Forum Newbie
Posts: 12
Joined: Wed Oct 25, 2006 4:38 pm

Post by _ca_ »

Hi.

You can find a nice article about that (and other security related topics) at http://phpsec.org/projects/guide/3.html#3.2.

Chris
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

  1. User input that has not been handled (properly) thereby allowing them to "inject" command data into a SQL query.
  2. Code: Select all

    $foo = '\' OR 1--'; // assume this is user input.
    $query = "SELECT * FROM users WHERE password = '$foo';"
    // i.e. SELECT * FROM users WHERE password = '' OR 1--';
  3. Properly validate, verify and escape all user input that is used.
Post Reply