Thread: Prevent SQL attacks?
View Single Post
  #5 (permalink)  
Old 06-27-2007, 08:52 AM
siLenTz's Avatar
siLenTz siLenTz is offline
Jr. Programmer
Awards Showcase
Quality Tutorial Quality Tutorial Quality Tutorial Quality Tutorial 
Total Awards: 4
Join Date: Jun 2007
Posts: 87
iTrader: (0)
siLenTz will become famous soon enoughsiLenTz will become famous soon enough
Here it is an example of one insecure php code that could be easily to attack:

PHP Code:
   $query "SELECT * FROM users WHERE user='$username'";
   mysql_query($query); 
If a user insert proper data, it is okay. But if they want to attack you
they can simply insert unproper data like they insert '; DELETE user.. like
this into your username input. you sql query will be something like
SELECT * FROM users WHERE user=''; DELETE user... Your query will
not perform like you expect. To avoid it you can do like that ccoonen have
said by using mysql_real_escape_string and the code will be looking like this

PHP Code:
   $username mysql_real_escape_strin($username);
   $query "SELECT * FROM users WHERE user='$username'";
   mysql_query($query); 
From siLenTz
No more attack....

__________________
Digg this Post! Del.Icio.Us this Post! Technorati this Post! Furl this Post! Mister Wong this Post! Newsvine this Post! Spurl this Post! Reddit this Post! Netscape this Post!
Reply With Quote
The Following User Says Thank You to siLenTz For This Useful Post:
HelloWorld (07-09-2007)