Page 1 of 1

SQL Injection

Posted: Wed Nov 01, 2006 2:52 pm
by amir
Hello All!
I have read some SQL Injections articles but i am still confused about

-> what is SQL Injection
-> How can it be dangerous
-> How to avoid it

Very very thankful if you could provide me some good examples.

Posted: Wed Nov 01, 2006 2:59 pm
by _ca_
Hi.

You can find a nice article about that (and other security related topics) at http://phpsec.org/projects/guide/3.html#3.2.

Chris

Posted: Wed Nov 01, 2006 3:03 pm
by feyd
  1. User input that has not been handled (properly) thereby allowing them to "inject" command data into a SQL query.
  2. Code: Select all

    $foo = '\' OR 1--'; // assume this is user input.
    $query = "SELECT * FROM users WHERE password = '$foo';"
    // i.e. SELECT * FROM users WHERE password = '' OR 1--';
  3. Properly validate, verify and escape all user input that is used.