MySQL

SQL Injection -measures for prevention

Please support our MySQL advertiser: PostgreSQL or MySQL? Compare and contrast the two most popular open source databases

•

Join Date: Sep 2009

Posts: 13

Reputation: ultras1 is an unknown quantity at this point

Solved Threads: 0

ultras1

Offline

Newbie Poster

SQL Injection -measures for prevention

Oct 21st, 2009

Hi, I'm making litle CMS with PHP+Mysql. Can you tellme measures for prevention for SQL Injections ?

•

Join Date: Aug 2007

Posts: 72

Reputation: smartness is an unknown quantity at this point

Solved Threads: 10

smartness

Offline

Junior Poster in Training

Oct 23rd, 2009

--> mysql_real_escape_string

--> Use htmlentities() for user submitted data!

when you get the id from the url:
$id = $_GET["id"];
use this:
$id = (int)$_GET["id"];

this is only when the ID is a integer!

I would suggest using a php mysql class!

Last edited by smartness; Oct 23rd, 2009 at 2:54 pm.

•

Join Date: Sep 2009

Posts: 62

Reputation: kylegetson is an unknown quantity at this point

Solved Threads: 9

kylegetson kylegetson is offline

Offline

Junior Poster in Training

Oct 24th, 2009

using php base64_encode and php base64_decode can help as well.

never run a query on data you unsure about.

also, its a good idea to restrict the permissions of the mysql user your scripts are using, so in case someone does get in, they can't create, alter or drop tables. require an additional login before allowing those type of queries.

backup early. backup often.

Don't pay data charges. txtFeeder.com is a free way to read the web on your mobile, and avoid data charges! **Now txtFeeder has a wireless note feature! Make notes on the go!
-Kyle Getson

•

Join Date: Sep 2009

Posts: 13

Reputation: ultras1 is an unknown quantity at this point

Solved Threads: 0

ultras1

Offline

Newbie Poster

Oct 24th, 2009

•

Originally Posted by smartness

when you get the id from the url:
$id = $_GET["id"];
use this:
$id = (int)$_GET["id"];

this is only when the ID is a integer!

Interesting

•

Originally Posted by kylegetson

using php base64_encode and php base64_decode can help as well.

I had never known about that, it looks interesting. For example if I have "index.php?id=33&page=1" . What to encode? I guess "id=33&page=1" ?

•

Join Date: Sep 2009

Posts: 62

Reputation: kylegetson is an unknown quantity at this point

Solved Threads: 9

kylegetson kylegetson is offline

Offline

Junior Poster in Training

Oct 24th, 2009

When creating links use:

 Help with Code Tags 
 MySQL Syntax (Toggle Plain Text) 
$id=33;
$page=1;
$link = "index.php?id=".base64_encode($id)."&page=".base64_encode($page);
$id=33;
$page=1;
$link = "index.php?id=".base64_encode($id)."&page=".base64_encode($page);

Then when getting those variables:

 Help with Code Tags 
 MySQL Syntax (Toggle Plain Text) 
$id = base64_decode($_GET['id']);
$page = base64_decode($_GET['page']);
$id = base64_decode($_GET['id']);
$page = base64_decode($_GET['page']);

hope that helps.

Don't pay data charges. txtFeeder.com is a free way to read the web on your mobile, and avoid data charges! **Now txtFeeder has a wireless note feature! Make notes on the go!
-Kyle Getson