473,396 Members | 1,892 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > safe mysql queries

Join Bytes to post your question to a community of 473,396 software developers and data experts.

Safe MySQL queries

After realising how easy it is for a malicious user to inject an sql query
into a paramenter for a query, e.g:

$query = "SELECT name FROM employees WHERE ID = ".$HTTP_GET_VARS['id']

And the user enters for the query string: mypage.php?id=1 UNION DISTINCT....

I'm trying to work out what level of protection is needed. As far as I can
see, for integer values I should just validate that a numeral has been
entered, and for text the addslashes() or mysql_escape_string() functions
are enough. Am I right in saying this?

Thanks,
Peter.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.713 / Virus Database: 469 - Release Date: 30/06/2004
Jul 17 '05 #1
4 2401
Pete <so****************@nodomain.com> wrote:
After realising how easy it is for a malicious user to inject an sql query
into a paramenter for a query, e.g: $query = "SELECT name FROM employees WHERE ID = ".$HTTP_GET_VARS['id'] And the user enters for the query string: mypage.php?id=1 UNION DISTINCT.... I'm trying to work out what level of protection is needed. As far as I can
see, for integer values I should just validate that a numeral has been
entered, and for text the addslashes() or mysql_escape_string() functions
are enough. Am I right in saying this?


for integer values that sounds abt right.. i just explicitly cast into an int
or float..
strings should work.. atleast cases where the user input is in quotes should
be fine

SELECT name FROM employees WHERE lastname='SELECT * FROM employees'
^
user input
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Salil Das | It's ok to kiss a fool,
bugs@cc | It's ok to let a fool kiss you,
| but never ever let a kiss fool you.
Jul 17 '05 #2
Pete wrote:
After realising how easy it is for a malicious user to inject an sql
query into a paramenter for a query, e.g:

$query = "SELECT name FROM employees WHERE ID = ".$HTTP_GET_VARS['id']

And the user enters for the query string: mypage.php?id=1 UNION
DISTINCT....

I'm trying to work out what level of protection is needed. As far as
I can see, for integer values I should just validate that a numeral
has been entered, and for text the addslashes() or
mysql_escape_string() functions are enough. Am I right in saying this?


well , example above, ...WHERE ID = ". $string

if you put $string in ' ".$string." ' then ID will be whatever is in
string, no Injection is possible in that case.
So , right way would be:

$query = "SELECT name FROM employees WHERE ID = '".$HTTP_GET_VARS['id']."';

also, my suggestion is... All GET and POST variables put trough some
checker. All my PHP scripts looks like..

loop
all input trough check ( is number, is string - depends on expected
type )
..
..
..
isset( $_GET['id']) ? $id = $_GET['id'] : $id = false;
so in rest of scrip i don't use GET or POST
--
kreso
www.gdprom.com/mouse/


Jul 17 '05 #3
"Pete" <so****************@nodomain.com> wrote in message
news:40**********************@news-text.dial.pipex.com...
After realising how easy it is for a malicious user to inject an sql query
into a paramenter for a query, e.g:

$query = "SELECT name FROM employees WHERE ID = ".$HTTP_GET_VARS['id']

And the user enters for the query string: mypage.php?id=1 UNION DISTINCT....
I'm trying to work out what level of protection is needed. As far as I can
see, for integer values I should just validate that a numeral has been
entered, and for text the addslashes() or mysql_escape_string() functions
are enough. Am I right in saying this?


The mysql manual recommends that you encase all arguments in single quotes

$query = sprintf("SELECT name FROM employees WHERE ID = '%s'" ,
$HTTP_GET_VARS['id']);

Add to that you should ensure that the id is a number

$id = (int)$HTTP_GET_VARS['id'];
$query = sprintf("SELECT name FROM employees WHERE ID = '%s'" , $id);

You can also prevent attacks by using addslashes if your php installation
doesn't automatically do this for you.
Jul 17 '05 #4
Pete (so****************@nodomain.com) wrote:
: After realising how easy it is for a malicious user to inject an sql query
: into a paramenter for a query, e.g:

: $query = "SELECT name FROM employees WHERE ID = ".$HTTP_GET_VARS['id']

$the_id = mysql_escape_string($HTTP_GET_VARS['id']);

$query = "SELECT name FROM employees WHERE ID = '$the_id'";


--

(Paying) telecommute programming projects wanted. Simply reply to this.
Jul 17 '05 #5
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
OLAP Proposal for MySQL
by: Philip Stoev | last post by:
Hi all, Please tell me if any of this makes sense. Any pointers to relevant projects/articles will be much appreciated. Philip Stoev http://www.stoev.org/pivot/manifest.htm ...
MySQL Database
2
mysql shuts down during rapid execution of querys
by: Brian | last post by:
Hello I am using version 4.0.12-nt of MySQL and when I hit the enter key rapidly I can't connect to the database. The result is a message is returned to me from mysql that says I can't connect...
MySQL Database
0
MySQL eventually brings system to a halt
by: Adam | last post by:
Hi all, a site I run has been getting busier during peak hours and I've noticed at times the mysql server will bring the entire server to a standstill. I have tweaked the mysql server...
MySQL Database
11
MySQL ODBC 3.51 driver Very Slow!
by: DJJ | last post by:
I am using the MySQL ODBC 3.51 driver to link three relatively small MySQL tables to a Microsoft Access 2003 database. I am finding that the data from the MySQL tables takes a hell of a long time...
MySQL Database
3
Safe insert queries for mysql ?
by: frizzle | last post by:
Hi there, I was wondering the folllowing: when i insert something into a mySQL DB -in a guestbook for instance- i mostly use mysql_escape_string($_POST['comment'). now i've seen...
PHP
39
DB2 v MySql
by: Mairhtin O'Feannag | last post by:
Hello, I have a client (customer) who asked the question : "Why would I buy and use UDB, when MySql is free?" I had to say I was stunned. I have no experience with MySql, so I was left sort...
DB2 Database
1
Non-stop queries coming from ??? XP, MySQL 5.0.15
by: Good Man | last post by:
Hi there I've noticed some very weird things happening with my current MySQL setup on my XP Laptop, a development machine. For a while, I have been trying to get the MySQL cache to work....
MySQL Database
8
SQL Server ou Mysql with ASP ?
by: Fred | last post by:
Hello, Our website is currently developed in ASP/Mysql 4. The dedicated servers on which it is currently hosted arrive at saturation. Here is their configuration: - 1 server PIV 2,8Ghz 1GB...
ASP / Active Server Pages
4
MySQL millions row OLTP dimensioning
by: Federico | last post by:
Hi everybody, I'm evaluating the possibility of using MySQL 5.0 as a database backend for an application we are doing and I'd like to have hardware requirements rough estimates and/or real world...
MySQL Database
13
php vs mysql speed
by: Ciaran | last post by:
Hi All, Is it faster to have mySql look up as much data as possible in one complex query or to have php do all the complex processing and submit lots of simple queries to the mysql database? ...
PHP
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!