Dream.In.Code > Programming Help > PHP

Welcome to Dream.In.Code
	Getting PHP Help is Easy! Join 132,685 PHP Programmers for FREE! Get instant access to thousands of PHP experts, tutorials, code snippets, and more! There are 1,273 people online right now. Registration is fast and FREE... Join Now! Chat LIVE With a PHP Expert

Protect against SQL Injection!

Reply to this topic

Start new topic

Protect against SQL Injection!, That's what she said!

akozlik	2 Jun, 2008 - 11:51 PM Post #1
D.I.C Addict Joined: 25 Feb, 2008 Posts: 596 Thanked 22 times Dream Kudos: 750 My Contributions	I was reading some posts the other day and noticed that a lot of people were including their $_GET variables in their SQL paths CODE $sql = "select * from wherever where whatever = $_GET['variable']" Please please please sanitize your data before sending it to your query. I ran some tests against a few websites last night and I found a bunch that were vulnerable to sql injection. Sanitize your data! Especially if you're in production. I found a couple of programs that were written by developers who were selling the software to various companies. Every single copy of the software was vulnerable. Be wary! PSA over.
	This Post Was Helpful! ^New!


Register for Free to Make These Ads Go Away!

no2pencil	3 Jun, 2008 - 12:09 AM Post #2
My fridge be runnin OH NOEZ! Joined: 10 May, 2007 Posts: 6,354 Thanked 58 times Dream Kudos: 2375 Expert In: Goofing Off My Contributions	I've actually pointed this out to people while they were asking an unrelated question. The entire notion went unnoticed. From what I've experienced, one bit of extra-effort is two bits too much.
	This Post Was Helpful! ^New!

akozlik	3 Jun, 2008 - 12:47 AM Post #3
D.I.C Addict Joined: 25 Feb, 2008 Posts: 596 Thanked 22 times Dream Kudos: 750 My Contributions	QUOTE(no2pencil @ 3 Jun, 2008 - 01:09 AM) I've actually pointed this out to people while they were asking an unrelated question. The entire notion went unnoticed. From what I've experienced, one bit of extra-effort is two bits too much. It really seems like people view their web applications with security as an afterthought. I think the problem lies with a lot of people who are just beginning are overwhelmed with all the different things they have to learn, that SQL Injection is just one more thing they don't want to learn about. Then when their site gets h4x0r3d (ha ha), they wonder where they went wrong. Maybe I'll see about writing an article on the importance of site security and see if skyhawk can get it in the next newsletter.
	This Post Was Helpful! ^New!

JBrace1990	3 Jun, 2008 - 04:18 AM Post #4
D.I.C Regular Joined: 9 Mar, 2008 Posts: 474 Thanked 21 times Dream Kudos: 350 My Contributions	all I usually do is use htmlspecialchars and mysql_real_escape_string.... anything else?
	This Post Was Helpful! ^New!

snoj	3 Jun, 2008 - 05:11 AM Post #5
$Null Joined: 31 Mar, 2003 Posts: 3,304 Thanked 5 times Dream Kudos: 700 My Contributions	addslashes().
	This Post Was Helpful! ^New!

joeyadms	3 Jun, 2008 - 10:27 AM Post #6
D.I.C Head Joined: 4 May, 2008 Posts: 145 Thanked 6 times Dream Kudos: 600 Expert In: PHP, Web Security My Contributions	if you create your own db abstraction layer, just add in a sanitizing method to help out. I uploaded a pretty nice MYSQL abstraction here on dreamincode with one. Your first, and best way to prevent injections, is to use prepared statements. If not, then use db-specific escape functions like real_escape_string.
	This Post Was Helpful! ^New!

Fast Reply

Reply to this topic

Start new topic

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Time is now: 11/23/08 07:17AM

Invision Power Board v2.1.7 © 2008 IPS, Inc.

Licensed to: MediaGroup1

Advertising | Terms of Use | Privacy Policy | About Us | Site Map

Forum Index: Programming Help | C and C++ | Visual Basic | Java | VB.NET | C# | ASP.NET | PHP | ColdFusion | Perl and Python | Ruby | Databases | Other Languages | Game Programming | Software Development | Computer Science | Industry News | Programming Tutorials | C++ Tutorials | Visual Basic Tutorials | Java Tutorials | VB.NET Tutorials | C# Tutorials | PHP Tutorials | Linux Tutorials | ColdFusion Tutorials | Windows Tutorials | HTML/JavaScript Tutorials | CSS Tutorials | Flash Tutorials | Web Promotion Tutorials | Photoshop Tutorials | Software Development Tutorials | Database Tutorials | Other Language Tutorials |

Copyright 2001-2008 MediaGroup1 LLC, All Rights Reserved
A MediaGroup1 LLC Production - Version 6.0.2.1.36

Search^Updated!w00t

Over 509,000 Pages! Advanced Forum Search

Live PHP Help!

PHP Tutorials

Reference Sheets

PHP Snippets

Bye Bye Ads

Free DIC T-Shirt

T-Shirt Example

Related Sites

Monthly Drawing

Partners

Top Contributors

Top 10 Kudos This Month