473,326 Members | 2,815 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,326 software developers and data experts.

sql injection

i have implemented a way to avoid sql injection from the php website from this url
http://in.php.net/mysql_real_escape_string from the "Example #3 A "Best Practice" query" section of this page

following are the steps i have followed after the form values are submitted to a php file.

step 1.
Expand|Select|Wrap|Line Numbers
  1. if(get_magic_quotes_gpc()) 
  2. {
  3. $username = stripslashes($_POST["username"]);
  4. .........
  5. }
  6.  
  7. else
  8. {
  9. $username = $_POST["username"];
  10. .........
  11. }
  12.  
step 2.
Expand|Select|Wrap|Line Numbers
  1. $conn = mysql_connect($hostname, $user, $password);
  2.  
step 3.
Expand|Select|Wrap|Line Numbers
  1. $insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s', ...)", mysql_real_escape_string($username, $conn), 
  2.  
  3. ...);
  4.  
step 4.
Expand|Select|Wrap|Line Numbers
  1.     if(!$conn)
  2.     { 
  3. header("Location: http://website/dberror.html"); 
  4. exit;
  5.     }
  6.  
  7.     else
  8.     {
  9. mysql_select_db($database, $conn);
  10.  
  11. $insertqueryresult = mysql_query($insertquery);       
  12.  
  13.  
  14.     if(!$insertqueryresult)    {        
  15.     header("Location: http://website/error.html"); 
  16.     exit;                     }     
  17.  
  18.     }
  19.  
with the above method i am able to insert values into the table even with if i enter the ' special character which can cause

problems.

i have also used a simple sql insert query like
Expand|Select|Wrap|Line Numbers
  1. $insertquery = "INSERT INTO table(username, ...) VALUES ('$username', ...)";
  2.  
when i used this simple insert query and if i entered ' in the form and submitted the form the php file is unable to process

the information entered because of the ' character and as per the code error.html file is being displayed where as if i use
Expand|Select|Wrap|Line Numbers
  1. $insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s', ...)", mysql_real_escape_string($username, $conn), 
  2.  
  3. ...);
  4.  
even if i enter any number of ' characters in more than 1 form field data is being inserted into the table

a)
so i am thinking that the steps i have taken from the php site is correct and the right way to avoid sql injection though

there are several ways to avoid sql injection.

b)
for example if i enter data in the form as = abc'''def for name, the data in the table for the name field is being written as

abc'''def

based on how i have written the steps to avoid sql injection is this the right way for the data to be stored with '

characters along with the data example as i mentioned = abc'''def

please answer the questions a) and b) if there is something else i need to do please suggest what needs to be done exactly

and at which step.

any help will be greatly appreciated.

thanks.
May 29 '08 #1
1 1478
pbmods
5,821 Expert 4TB
Heya, Runway.

mysql_real_escape_string() essentially escapes quotes and comment characters (such as -- and /*) by prepending them with slashes (e.g., "abc'''123" becomes "abc\'\'\'123").

Since these characters can be changed (though very rarely are), mysql_real_escape_string() is preferred over addslashes() or addcslashes().

For maximum security and more organized code, you should consider switching to MySQLi and its ability to use prepared statements.
May 30 '08 #2

Sign in to post your reply or Sign up for a free account.

Similar topics

1
by: NotGiven | last post by:
Steve wrote, > "And read up on "sql injection" attacks (use your favorite search > engine). As indicated, validate input. e.g. if you expert $_GET > to be integer, then do > > $a =...
1
by: Cogswell | last post by:
I am working on an ecommerce app and want to be able to take my entire POST results as one item (or iterate through them) and check for any malicious SQL INJECTION items. After checking/escaping...
11
by: Bã§TãRÐ | last post by:
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I...
10
by: bregent | last post by:
I've seen plenty of articles and utilities for preventing form injections for ASP.NET, but not too much for classic ASP. Are there any good input validation scripts that you use to avoid form...
8
by: stirrell | last post by:
Hello, One problem that I had been having is stopping email injections on contact forms. I did some research, read up on it and felt like I had created a working solution. I hadn't gotten any...
7
by: | last post by:
There are assorted "SQL Injection vulnerability assessment tools" out there. They scan your site and send your report. They also take your money. We don't have the money so I was wondering if I...
3
by: =?Utf-8?B?Um9kbmV5IFZpYW5h?= | last post by:
IIS 6 SQL Injection Sanitation ISAPI Wildcard at http://www.codeplex.com/IIS6SQLInjection I created an ISAPI dll application to prevent SQL Injection attempts by intercepting the HTTP requests...
2
by: Sudhakar | last post by:
A) validating username in php as part of a registration form a user fills there desired username and this is stored in a mysql. there are certain conditions for the username. a) the username...
12
by: shank | last post by:
I've been hit again using DW, parameterized queries and stored procedures. I'm guessing I was not strict enough with character counts and allowing to long of a string to pass. Aside from that,...
2
by: Brian Bozarth | last post by:
This is weird, I'm pretty familiar with SQL Injection - but we're getting these weird injection that is writing in the default document or home page. What it's doing is putting in script code at...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.