i have implemented a way to avoid sql injection from the php website from this url http://in.php.net/mysql_real_escape_string from the "Example #3 A "Best Practice" query" section of this page
following are the steps i have followed after the form values are submitted to a php file.
step 1. -
if(get_magic_quotes_gpc())
-
{
-
$username = stripslashes($_POST["username"]);
-
.........
-
}
-
-
else
-
{
-
$username = $_POST["username"];
-
.........
-
}
-
step 2. -
$conn = mysql_connect($hostname, $user, $password);
-
step 3. -
$insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s', ...)", mysql_real_escape_string($username, $conn),
-
-
...);
-
step 4. -
if(!$conn)
-
{
-
header("Location: http://website/dberror.html");
-
exit;
-
}
-
-
else
-
{
-
mysql_select_db($database, $conn);
-
-
$insertqueryresult = mysql_query($insertquery);
-
-
-
if(!$insertqueryresult) {
-
header("Location: http://website/error.html");
-
exit; }
-
-
}
-
with the above method i am able to insert values into the table even with if i enter the ' special character which can cause
problems.
i have also used a simple sql insert query like -
$insertquery = "INSERT INTO table(username, ...) VALUES ('$username', ...)";
-
when i used this simple insert query and if i entered ' in the form and submitted the form the php file is unable to process
the information entered because of the ' character and as per the code error.html file is being displayed where as if i use -
$insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s', ...)", mysql_real_escape_string($username, $conn),
-
-
...);
-
even if i enter any number of ' characters in more than 1 form field data is being inserted into the table
a)
so i am thinking that the steps i have taken from the php site is correct and the right way to avoid sql injection though
there are several ways to avoid sql injection.
b)
for example if i enter data in the form as = abc'''def for name, the data in the table for the name field is being written as
abc'''def
based on how i have written the steps to avoid sql injection is this the right way for the data to be stored with '
characters along with the data example as i mentioned = abc'''def
please answer the questions a) and b) if there is something else i need to do please suggest what needs to be done exactly
and at which step.
any help will be greatly appreciated.
thanks.
1 1511 pbmods 5,821
Recognized Expert Expert
Heya, Runway.
mysql_real_esca pe_string() essentially escapes quotes and comment characters (such as -- and /*) by prepending them with slashes (e.g., "abc'''123" becomes "abc\'\'\'123") .
Since these characters can be changed (though very rarely are), mysql_real_esca pe_string() is preferred over addslashes() or addcslashes().
For maximum security and more organized code, you should consider switching to MySQLi and its ability to use prepared statements.
Sign in to post your reply or Sign up for a free account.
Similar topics |
by: NotGiven |
last post by:
Steve wrote,
> "And read up on "sql injection" attacks (use your favorite search
> engine). As indicated, validate input. e.g. if you expert $_GET
> to be integer, then do
>
> $a = intval($_GET);"
I want to learn how to incorporate defenses into my code to thward a sql
injection attach. Please recommend links that discuss actual code defenses,
not just what the attach is.
|
by: Cogswell |
last post by:
I am working on an ecommerce app and want to be able to take my entire
POST results as one item (or iterate through them) and check for any
malicious SQL INJECTION items. After checking/escaping them i want to
save them back into the post results. The reason for this is because I
have coded the entire app and just learned about the dangers of SQL
Injection and rather than going through every post var and fix it I
would rather run a...
|
by: Bă§TăRĐ |
last post by:
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I
just personally rewrote/reformatted close to 150 of them myself. Nothing too fancy, mostly a lot of formatting. We have a little down time between Q/A and fixing any bugs they find so I decided to
test the security of the site with Cross-Site...
|
by: bregent |
last post by:
I've seen plenty of articles and utilities for preventing form injections for
ASP.NET, but not too much for classic ASP. Are there any good input validation
scripts that you use to avoid form injection attacks? I'm looking for good
routines I can reuse on all of my form processing pages. Thanks.
|
by: stirrell |
last post by:
Hello,
One problem that I had been having is stopping email injections on
contact forms. I did some research, read up on it and felt like I had
created a working solution. I hadn't gotten any suspicious bouncebacks
in quite some time and got many custom alerts I had set up for
notifying me of injection attempts. However, just the other day, I got
a bounceback from an AOL address which leads me to believe that an
injection attempt was...
| |
by: |
last post by:
There are assorted "SQL Injection vulnerability assessment tools" out there.
They scan your site and send your report. They also take your money.
We don't have the money so I was wondering if I could replicate the tool's
behavior myself. I am guessing that they work by attempting a
non-destructive injection attack against your DB and evaluating the success
or failure of that test.
I am curious if a) I'm correct about this, and b) if...
|
by: =?Utf-8?B?Um9kbmV5IFZpYW5h?= |
last post by:
IIS 6 SQL Injection Sanitation ISAPI Wildcard at
http://www.codeplex.com/IIS6SQLInjection
I created an ISAPI dll application to prevent SQL Injection attempts by
intercepting the HTTP requests and sanitizing both GET and POST variables (or
any combination of both) before the request reaches the intended code. This
is especially useful for legacy applications not designed to deal with MS SQL
Server Injection attempts. Though this...
|
by: Sudhakar |
last post by:
A) validating username in php
as part of a registration form a user fills there desired username and
this is stored in a mysql. there are certain conditions for the
username.
a) the username should only begin either letters or numbers, and
Underscore character
example = user123, 123user, u_ser123, user_123 = completely case
insensitive
|
by: shank |
last post by:
I've been hit again using DW, parameterized queries and stored procedures.
I'm guessing I was not strict enough with character counts and allowing to
long of a string to pass.
Aside from that, as crude as it may be, is the below enough to stop these
attacks? If not, how would they get around this?
<%
If Instr(Request.QueryString("http")) 1 or
Instr(Request.QueryString("script")) 1 Then
|
by: Brian Bozarth |
last post by:
This is weird, I'm pretty familiar with SQL Injection - but we're getting
these weird injection that is writing in the default document or home page.
What it's doing is putting in script code at the top or bottom of the home
page... it looks something like this:
<script>function xy1q4877d47d91a36(q4877d47d92209){ function q4877d47d929d5
() {return 16;} return (parseInt(q4877d47d92209,q4877d47d929d5()));}function...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
| |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |