Member Avatar for veledrom

Hi,

I wonder what is the best way to prevent injection against user input. There are a lot of examples but one say "magic_quotes_gpc" is good but removed from PHP soon. Therefore, no point of using it. Another says "mysql_real_escape_string and addslashes" just used to clean iptuts. Etc etc.

I am confused what to realy use. Can anyone make code below best practice plase.

Thanks in advance

<?php
$uid=$_POST["username"];
$psw=$_POST["password"];

$query="SELECT * FROM mytable WHERE uid='$uid' AND psw=sha1('$psw')";

$runit=mysql_query($query);
?>
Edited by mike_2000_17 because: Fixed formatting
  • 5 Contributors
  • 4 Replies
  • 162 Views
  • 2 Years Discussion Span
  • Latest Post Latest Post by phplover

Recommended Answers

All 4 Replies

Member Avatar for ShawnCplus

Use PDO/mysqli and prepared statements, that's the easiest way to prevent it. Forget about all the magic_quotes BS. mysql::prepare

Member Avatar for somedude3488

Pretty much mysql_real_escape_string() is all you need.

Member Avatar for jporter892

The best way to go is to use prepared statements - you can read why here, there's a good example:

{snipped}

and more about SQL Injection here:

{snipped}

Edited by diafol because: Plugging a website on a v. old thread
Member Avatar for phplover

Hi,

I agree with others that PDO/Prepared Statements are the way forward.

I only started learning PDO for about two weeks and even thou it can be a little confusing to begin with it's well worth the learning curve, i am now and already using PDO and it makes mysql look ancient in comparison and much cleaner code.

I learnt it by searching Google and i did buy a book which i would highly recommend. It's for Beginners but covers everything you need to know, it takes you through by a building a simple application and as the book goes on further you make alterations to the application. They book is well worth the money if you can afford it and not like many other books that jump to quickly without much explanation. This books explains in good detail and with good examples plus the benefit of learning to build a simple application to get you understanding and learning PDO to it's full advantage. The book is caled Learning PHP Data Objects Heres a link to the Amazon UK site for the book. This book can get you understanding and learning PDO very quickly and is easy to follow along with.

All the Best,
phplover

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.