|
|||||||||
|
|||||||||
|
|||||||||
 |
|||||||||
| |
||
|
|
|
|
|||||||||
|
|||||||||
|
|||||||||
|
|||||||||
| |
||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
ASP Free Forums Sponsor:
|
|
|
|
#1
May 29th, 2008, 02:38 PM
|
|||
|
|||
|
Sql injection in php
i have implemented a way to avoid sql injection from the php website from this url
http://in.php.net/mysql_real_escape_string from the "Example #3 A "Best Practice" query" section of this page following are the steps i have followed after the form values are submitted to a php file. step 1. Code:
if(get_magic_quotes_gpc())
{
$username = stripslashes($_POST["username"]);
.........
}
else
{
$username = $_POST["username"];
.........
}
step 2.
$conn = mysql_connect($hostname, $user, $password);
step 3.
$insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s', ...)", mysql_real_escape_string($username, $conn),
...);
step 4.
if(!$conn)
{
header("Location: http://website/dberror.html");
exit;
}
else
{
mysql_select_db($database, $conn);
$insertqueryresult = mysql_query($insertquery);
if(!$insertqueryresult) {
header("Location: http://website/error.html");
exit; }
}
with the above method i am able to insert values into the table even with if i enter the ' special character which can cause problems. i have also used a simple sql insert query like Code:
$insertquery = "INSERT INTO table(username, ...) VALUES ('$username', ...)";
when i used this simple insert query and if i entered ' in the form and submitted the form the php file is unable to process the information entered because of the ' character and as per the code error.html file is being displayed where as if i use Code:
$insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s', ...)", mysql_real_escape_string($username, $conn),
...);
even if i enter any number of ' characters in more than 1 form field data is being inserted into the table a) so i am thinking that the steps i have taken from the php site is correct and the right way to avoid sql injection though there are several ways to avoid sql injection. b) for example if i enter data in the form as = abc'''def for name, the data in the table for the name field is being written as abc'''def based on how i have written the steps to avoid sql injection is this the right way for the data to be stored with ' characters along with the data example as i mentioned = abc'''def please answer the questions a) and b) if there is something else i need to do please suggest what needs to be done exactly and at which step. any help will be greatly appreciated. thanks. Last edited by mehere : May 29th, 2008 at 02:41 PM. Reason: added code tags ... please use them in the future when posting code
|
|
#2
June 2nd, 2008, 03:11 PM
|
|||
|
|||
|
The best advice I can give on securing PHP is to escape ALL input fields properly. It has been a common best practice in SQL to also make sure the SQL statements are not concatenated, so if you can find a way to create that kind of interaction in PHP you're even safer. I would like to see more responses to this, though, if more people have a clearer answer.
************** Nico del Castillo Microsoft Security Outreach Team
|
|
| Viewing: ASP Free Forums > Other > Programming Help > Sql injection in php |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
