I have a form and the input that can be accepted can be up to 32 characters in length and can accept any standard keyboard character such as (%,#,!, @, {, |, +) etc. So basically, the user could type in anything they wish and it could be accepted as legitimate!
How can I safely enter this type of user input into my mySQL database without it being suseptable to attacks?
SQL Injection worry
Moderator: General Moderators
Re: SQL Injection worry
As I look into this a little bit more, is the bin2hex($string) and pack("H*",bin2hex($string)) functions safe enough to use in this case?
- jaoudestudios
- DevNet Resident
- Posts: 1483
- Joined: Wed Jun 18, 2008 8:32 am
- Location: Surrey
Re: SQL Injection worry
I would use mysql_real_escape_string
Re: SQL Injection worry
jaoudestudios wrote:I would use mysql_real_escape_string
mysql_real_escape_string takes care of all special characters that might be used as tokens in your particular MySQL charset.
Re: SQL Injection worry
I've just moved on from dabbling with php/mysql cms's/forums/mailers to writing my own php/mysql from scratch.
Would mysql_real_escape_string protect against someone inputting ";rm.......blah" etc? I've searched for regular expressions for what you should disallow, but can't seem to find anything conclusive.
Thanks
Richard
Edit: Sorry for not keeping up, I'm new to this and see that this has nothing whatsoever to do with that, so I will ask elsewhere (but thanks for the heads up on SQL Injections, is this something you should perform on any user input to an SQL db?)
Would mysql_real_escape_string protect against someone inputting ";rm.......blah" etc? I've searched for regular expressions for what you should disallow, but can't seem to find anything conclusive.
Thanks
Richard
Edit: Sorry for not keeping up, I'm new to this and see that this has nothing whatsoever to do with that, so I will ask elsewhere (but thanks for the heads up on SQL Injections, is this something you should perform on any user input to an SQL db?)
Re: SQL Injection worry
Apply to all input values, no matter where they come from (it may not be obvious if it is user input or not)
You also gotta be careful not to do certain things, and use proper quotes: http://www.logris.org/security/the-unex ... -injection
Proper measures will protect against all injection attacks. In addition though, PHP's client for talking mysql will not accept query stacking with ; so it's not a worry. (With MySQL it is possible only with a specific API from the mysqli_* family)
You also gotta be careful not to do certain things, and use proper quotes: http://www.logris.org/security/the-unex ... -injection
Proper measures will protect against all injection attacks. In addition though, PHP's client for talking mysql will not accept query stacking with ; so it's not a worry. (With MySQL it is possible only with a specific API from the mysqli_* family)
Re: SQL Injection worry
Have you looked into using bind-variables - see PHP's PDO extension. It should store the data in binary format directly into/from the db, so no need to escape when doing db queries. Although you always have to think of XSS attacks if you're using the user supplied input further down the line.
Re: SQL Injection worry
Thanks v much for the reply. Didn't know what the difference was between the MySQL and MySQLi PHP extensions.Mordred wrote:Apply to all input values, no matter where they come from (it may not be obvious if it is user input or not)
You also gotta be careful not to do certain things, and use proper quotes: http://www.logris.org/security/the-unex ... -injection
Proper measures will protect against all injection attacks. In addition though, PHP's client for talking mysql will not accept query stacking with ; so it's not a worry. (With MySQL it is possible only with a specific API from the mysqli_* family)
Will have to go read up on XSS attacks now! Thanks again.