security issues related to website built in php-mysql

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
bluestar
Forum Newbie
Posts: 13
Joined: Thu Mar 17, 2011 7:19 am

security issues related to website built in php-mysql

Post by bluestar »

hiii all.....i am making a dynamic website in php-mysql....so is there anyway to protect my website from 'sql-injection' and other hacking stuff(i dont have any idea about them)???
Reviresco
Forum Contributor
Posts: 172
Joined: Tue Feb 19, 2008 4:18 pm
Location: Milwaukee

Re: security issues related to website built in php-mysql

Post by Reviresco »

Books have been written on this subject, but a short answer would be: use mysql_real_escape_string:
http://php.net/manual/en/function.mysql ... string.php

There are a lot of considerations, but basically you want to "clean" any input coming from outside, whether it's something you are expecting, or something you're not, like:

http://www.example.com?id=my+malicious+sql+code+here
Atlas
Forum Newbie
Posts: 2
Joined: Fri Mar 18, 2011 5:49 pm

Re: security issues related to website built in php-mysql

Post by Atlas »

SQL injection happens if you don't escape your strings. The best thing you can do is use a PHP MySQL library that'll automatically escape everything for you. I've personally had great results with the one I just linked to, MeekroDB.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: security issues related to website built in php-mysql

Post by Mordred »

bluestar, try the article in my signature.

Atlas, thanks for the MeekroDB link, it's somewhat similar in its design philosophy to the lib I wrote/use, so it piqued my interest. I'm curious in how well it handles escaping, I'll be taking a closer look at it. :)
Post Reply