Page 1 of 1

SQL Injection worry

Posted: Mon Sep 08, 2008 8:04 am
by Patty
I have a form and the input that can be accepted can be up to 32 characters in length and can accept any standard keyboard character such as (%,#,!, @, {, |, +) etc. So basically, the user could type in anything they wish and it could be accepted as legitimate!

How can I safely enter this type of user input into my mySQL database without it being suseptable to attacks?

Re: SQL Injection worry

Posted: Mon Sep 08, 2008 8:44 am
by Patty
As I look into this a little bit more, is the bin2hex($string) and pack("H*",bin2hex($string)) functions safe enough to use in this case?

Re: SQL Injection worry

Posted: Mon Sep 08, 2008 9:09 am
by jaoudestudios
I would use mysql_real_escape_string

Re: SQL Injection worry

Posted: Mon Sep 08, 2008 1:27 pm
by Verminox
jaoudestudios wrote:I would use mysql_real_escape_string
:yar:

mysql_real_escape_string takes care of all special characters that might be used as tokens in your particular MySQL charset.

Re: SQL Injection worry

Posted: Thu Sep 18, 2008 12:15 pm
by rabw
I've just moved on from dabbling with php/mysql cms's/forums/mailers to writing my own php/mysql from scratch.

Would mysql_real_escape_string protect against someone inputting ";rm.......blah" etc? I've searched for regular expressions for what you should disallow, but can't seem to find anything conclusive.

Thanks
Richard

Edit: Sorry for not keeping up, I'm new to this and see that this has nothing whatsoever to do with that, so I will ask elsewhere (but thanks for the heads up on SQL Injections, is this something you should perform on any user input to an SQL db?)

Re: SQL Injection worry

Posted: Fri Sep 19, 2008 4:57 am
by Mordred
Apply to all input values, no matter where they come from (it may not be obvious if it is user input or not)

You also gotta be careful not to do certain things, and use proper quotes: http://www.logris.org/security/the-unex ... -injection

Proper measures will protect against all injection attacks. In addition though, PHP's client for talking mysql will not accept query stacking with ; so it's not a worry. (With MySQL it is possible only with a specific API from the mysqli_* family)

Re: SQL Injection worry

Posted: Fri Sep 19, 2008 9:38 pm
by allicient
Have you looked into using bind-variables - see PHP's PDO extension. It should store the data in binary format directly into/from the db, so no need to escape when doing db queries. Although you always have to think of XSS attacks if you're using the user supplied input further down the line.

Re: SQL Injection worry

Posted: Wed Oct 08, 2008 11:35 am
by rabw
Mordred wrote:Apply to all input values, no matter where they come from (it may not be obvious if it is user input or not)

You also gotta be careful not to do certain things, and use proper quotes: http://www.logris.org/security/the-unex ... -injection

Proper measures will protect against all injection attacks. In addition though, PHP's client for talking mysql will not accept query stacking with ; so it's not a worry. (With MySQL it is possible only with a specific API from the mysqli_* family)
Thanks v much for the reply. Didn't know what the difference was between the MySQL and MySQLi PHP extensions.

Will have to go read up on XSS attacks now! Thanks again.