943,945 Members | Top Members by Rank

Web Development > Databases > MySQL > SQL Injection -measures for prevention
Ad:
  • MySQL Discussion Thread
  • Unsolved
  • Views: 1020
  • MySQL RSS
Permalink
Oct 21st, 2009
0

SQL Injection -measures for prevention

Expand Post »
Hi, I'm making litle CMS with PHP+Mysql. Can you tellme measures for prevention for SQL Injections ?
Similar Threads
Reputation Points: 10
Solved Threads: 1
Newbie Poster
ultras1 is offline Offline
19 posts
since Sep 2009
Permalink
Oct 23rd, 2009
0
Re: SQL Injection -measures for prevention
--> mysql_real_escape_string

--> Use htmlentities() for user submitted data!

when you get the id from the url:
$id = $_GET["id"];
use this:
$id = (int)$_GET["id"];

this is only when the ID is a integer!

I would suggest using a php mysql class!
Last edited by smartness; Oct 23rd, 2009 at 2:54 pm.
Reputation Points: 7
Solved Threads: 14
Junior Poster
smartness is offline Offline
103 posts
since Aug 2007
Permalink
Oct 24th, 2009
1
Re: SQL Injection -measures for prevention
using php base64_encode and php base64_decode can help as well.

never run a query on data you unsure about.

also, its a good idea to restrict the permissions of the mysql user your scripts are using, so in case someone does get in, they can't create, alter or drop tables. require an additional login before allowing those type of queries.

backup early. backup often.
Reputation Points: 26
Solved Threads: 12
Junior Poster in Training
kylegetson is offline Offline
89 posts
since Sep 2009
Permalink
Oct 24th, 2009
0
Re: SQL Injection -measures for prevention
Click to Expand / Collapse  Quote originally posted by smartness ...
when you get the id from the url:
$id = $_GET["id"];
use this:
$id = (int)$_GET["id"];

this is only when the ID is a integer!
Interesting

Click to Expand / Collapse  Quote originally posted by kylegetson ...
using php base64_encode and php base64_decode can help as well.
I had never known about that, it looks interesting. For example if I have "index.php?id=33&page=1" . What to encode? I guess "id=33&page=1" ?
Reputation Points: 10
Solved Threads: 1
Newbie Poster
ultras1 is offline Offline
19 posts
since Sep 2009
Permalink
Oct 24th, 2009
0
Re: SQL Injection -measures for prevention
When creating links use:
MySQL Syntax (Toggle Plain Text)
  1. $id=33;
  2. $page=1;
  3. $link = "index.php?id=".base64_encode($id)."&page=".base64_encode($page);

Then when getting those variables:
MySQL Syntax (Toggle Plain Text)
  1. $id = base64_decode($_GET['id']);
  2. $page = base64_decode($_GET['page']);

hope that helps.
Reputation Points: 26
Solved Threads: 12
Junior Poster in Training
kylegetson is offline Offline
89 posts
since Sep 2009
Permalink
Oct 25th, 2009
0
Re: SQL Injection -measures for prevention
There is a simple rule, always treat user input an evil
Reputation Points: 29
Solved Threads: 47
Posting Whiz
mwasif is offline Offline
312 posts
since Dec 2007
Permalink
Oct 25th, 2009
0
Re: SQL Injection -measures for prevention
Good
Reputation Points: 10
Solved Threads: 0
Newbie Poster
koldex is offline Offline
2 posts
since Oct 2009

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in MySQL Forum Timeline: mySQL permissions ... a few newbie questions
Next Thread in MySQL Forum Timeline: Any experience with MySQL Dump Timer ?





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC