Thanks.
:?: Escaping data :?:
Moderator: General Moderators
:?: Escaping data :?:
Around the internet I found many pages talking about security. Among them, some told me to escape the data before inserting it into a database. Now, what does "escape data" mean? How and why am I supposed to do this?
Thanks.
Thanks.
Last edited by granite on Tue May 12, 2009 12:43 pm, edited 1 time in total.
Re: :?: Scaping data :?:
escape data...Among them, some told me to scape the data before inserting it into a database. Now, what does "scape data" mean?
http://www.php.net/mysql_real_escape_string
Last edited by Eran on Tue May 12, 2009 3:36 pm, edited 1 time in total.
Re: :?: Scaping data :?:
Hm... yeah, thanks, but this doesn't tell me much.
Why should I escape data before inserting it into a database?
Why should I escape data before inserting it into a database?
- jayshields
- DevNet Resident
- Posts: 1912
- Joined: Mon Aug 22, 2005 12:11 pm
- Location: Leeds/Manchester, England
Re: :?: Escaping data :?:
So people don't misuse your website. SQL injection is one of the most talked about topics in this area.
Please don't use unnecessary characters in your thread titles to attract attention.
Please don't use unnecessary characters in your thread titles to attract attention.
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: :?: Scaping data :?:
Given the code:granite wrote:Hm... yeah, thanks, but this doesn't tell me much.
Why should I escape data before inserting it into a database?
Code: Select all
query("SELECT * FROM bank_account WHERE user='{$_GET['user']}'");Someone could sent the malicious URL:
bank.com?user=me' OR user='you
or:
bank.com?user=me'; INSERT INTO bank_account balance=10000000 WHERE user='me
Not exact syntax, but hopefully you get the idea.
(#10850)
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: :?: Scaping data :?:
http://en.wikipedia.org/wiki/SQL_injectiongranite wrote:Why should I escape data before inserting it into a database?
Re: :?: Escaping data :?:
Hey, thanks for the links. Now this is much more clear for me. One more thing, though: doing something like
will make my login code (in this point, of course) 100% secure? If not, what more should I consider?
PS.: <span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span>... I'm gonna have to redo a LOT of things.
Code: Select all
$query = sprintf("SELECT * FROM Users where UserName='%s' and Password='%s'",
mysql_real_escape_string($Username),
mysql_real_escape_string($Password));
mysql_query($query);PS.: <span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span>... I'm gonna have to redo a LOT of things.
Last edited by granite on Tue May 12, 2009 6:48 pm, edited 2 times in total.
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: :?: Escaping data :?:
It will protect that query from injection attacks. I will not make your "login code 100% secure."
(#10850)
Re: :?: Escaping data :?:
Of course, that's what I meant. Thanks, everybody! 