1. No Profile Picture
    Registered User
    ASP Explorer (0 - 99 posts)

    Join Date
    Sep 2007
    Rep Power

    Sql injection in php

    i have implemented a way to avoid sql injection from the php website from this url
    http://in.php.net/mysql_real_escape_string from the "Example #3 A "Best Practice" query" section of this page

    following are the steps i have followed after the form values are submitted to a php file.

    step 1.

    $username = stripslashes($_POST["username"]);
    $username = $_POST["username"];
    step 2.
    $conn = mysql_connect($hostname, $user, $password);
    step 3.
    $insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s', ...)", mysql_real_escape_string($username, $conn), 
    step 4.
    header("Location: http://website/dberror.html"); 
    mysql_select_db($database, $conn);
    $insertqueryresult = mysql_query($insertquery);       
    	if(!$insertqueryresult)	{		
    	header("Location: http://website/error.html"); 
    	exit; 	                }     
    with the above method i am able to insert values into the table even with if i enter the ' special character which can cause


    i have also used a simple sql insert query like
    $insertquery = "INSERT INTO table(username, ...) VALUES ('$username', ...)";
    when i used this simple insert query and if i entered ' in the form and submitted the form the php file is unable to process

    the information entered because of the ' character and as per the code error.html file is being displayed where as if i use
    $insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s', ...)", mysql_real_escape_string($username, $conn), 
    even if i enter any number of ' characters in more than 1 form field data is being inserted into the table

    so i am thinking that the steps i have taken from the php site is correct and the right way to avoid sql injection though

    there are several ways to avoid sql injection.

    for example if i enter data in the form as = abc'''def for name, the data in the table for the name field is being written as


    based on how i have written the steps to avoid sql injection is this the right way for the data to be stored with '

    characters along with the data example as i mentioned = abc'''def

    please answer the questions a) and b) if there is something else i need to do please suggest what needs to be done exactly

    and at which step.

    any help will be greatly appreciated.

    Last edited by mehere; May 29th, 2008 at 02:41 PM. Reason: added code tags ... please use them in the future when posting code
  2. #2
  3. No Profile Picture
    Registered User
    ASP Explorer (0 - 99 posts)

    Join Date
    Jun 2008
    Rep Power
    The best advice I can give on securing PHP is to escape ALL input fields properly. It has been a common best practice in SQL to also make sure the SQL statements are not concatenated, so if you can find a way to create that kind of interaction in PHP you're even safer. I would like to see more responses to this, though, if more people have a clearer answer.
    Nico del Castillo
    Microsoft Security Outreach Team

Similar Threads

  1. 2 '80004005' errors
    By desiboy681 in forum Microsoft Access Help
    Replies: 2
    Last Post: November 15th, 2006, 11:27 AM
  2. New line not shown as in the edit windows after save
    By desiboy681 in forum ASP Development
    Replies: 9
    Last Post: September 7th, 2006, 04:01 PM
  3. Error on insert into statement
    By alfidino in forum ASP Development
    Replies: 4
    Last Post: June 12th, 2006, 11:54 AM
  4. Why does the SQL show error?
    By gilgalbiblewhee in forum ASP Development
    Replies: 3
    Last Post: October 14th, 2004, 10:10 PM
  5. search help
    By dev5 in forum ASP Development
    Replies: 18
    Last Post: March 5th, 2004, 10:07 AM

IMN logo majestic logo threadwatch logo seochat tools logo