 | Forum | Register | Search | Today's Posts | Mark Forums Read |  |
|
|
 |
|
| ||||||
|
Welcome to the The ProgrammersTalk Community forums. You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so please, join our community today! If you have any problems with the registration process or your account login, please contact contact us. |
 |
 | | LinkBack | Thread Tools | Display Modes |  |
06-27-2007, 07:25 AM
| ||||
| ||||
| Prevent SQL attacks? Hey, I am trying to make a script and i want to prevent SQL attacks, all i will have is a simple script to submit the user email address for a newsletter, and then i will also have an admin login, i want to know how to stop SQL attacks, i know there are codes but i have no clue which one is best and why? Could someone provide a block of code and tell me how i would make it work with my form? and also how i can test it to check that the block of code works? Any help would be great, i just need to get this stage of code sorted  __________________           |
| |
|
06-27-2007, 08:14 AM
| |||
| |||
| Wrap all your input fields with this function prior to Inserting and you should be alright PHP: mysql_real_escape_string - Manual__________________ Day Cares | Golf Courses | Disc Golf Courses | Campgrounds | Ice Rinks | Paintball Fields | Dentists | Plastic Surgeons | Aging Jokes Catholic Churches | Lutheran Churches | Methodist Churches | Episcopal Churches | Clean Jokes |
|
06-27-2007, 08:18 AM
| ||||
| ||||
| so i just have something like: mysql_real_escape_strin($user) mysql_real_escape_strin($email) mysql_real_escape_strin($pass) etc... before my query? __________________ Last edited by Lee : 06-28-2007 at 04:55 AM. |
|
06-27-2007, 08:49 AM
| |||
| |||
| Code: $sql = "Insert Into TABLENAME (Field1) Values ('".mysql_real_escape_string($fieldVal1)."'); __________________ Day Cares | Golf Courses | Disc Golf Courses | Campgrounds | Ice Rinks | Paintball Fields | Dentists | Plastic Surgeons | Aging Jokes Catholic Churches | Lutheran Churches | Methodist Churches | Episcopal Churches | Clean Jokes |
|
06-27-2007, 08:52 AM
| ||||
| ||||
| Here it is an example of one insecure php code that could be easily to attack: PHP Code: they can simply insert unproper data like they insert '; DELETE user.. like this into your username input. you sql query will be something like SELECT * FROM users WHERE user=''; DELETE user... Your query will not perform like you expect. To avoid it you can do like that ccoonen have said by using mysql_real_escape_string and the code will be looking like this PHP Code: No more attack.... __________________ |
| The Following User Says Thank You to siLenTz For This Useful Post: | ||
HelloWorld (07-09-2007) | ||
|
06-27-2007, 07:54 PM
| |||
| |||
| cool, just make sure you fix the $username line $username = mysql_real_escape_strin($username); should be $username = mysql_real_escape_string($username); __________________ Day Cares | Golf Courses | Disc Golf Courses | Campgrounds | Ice Rinks | Paintball Fields | Dentists | Plastic Surgeons | Aging Jokes Catholic Churches | Lutheran Churches | Methodist Churches | Episcopal Churches | Clean Jokes |
|
07-09-2007, 09:36 AM
| |||
| |||
| I think this is a great thread. Security is very important. I now have a better understanding of how SQL attacks are committed. |
|
07-09-2007, 11:46 AM
| ||||
| ||||
| This is really interesting, I never kenw that user can do SQL attack by just doing what SiLenTz said. Thanx a lot for this thread, i learned a lot. __________________ |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
