I heard that sql injections are causing to our databases by spammers...
Can anyone please tel me how it is possible ?
And very importantly how to escape from sql injections...
I expect more answers from you...And Thanks for those ....
Shanti C
106
Posting Virtuoso
Recommended Answers
Jump to PostHi Shanti,
SQL injections are done using the inputs that user provides.
Like if there is a login page and it has two input boxes userid and password.
and if you have written a sql statement as follows
select * from tbllogin where username …
Jump to PostUse mysql_real_escape_string for user inputs, If the input is an integer, check it with intval. …
Jump to PostHi,
The best way to prevent SQL injection is using stored procedures with parameters.
All 9 Replies
vicky_rawat
11
Junior Poster
Hi Shanti,
SQL injections are done using the inputs that user provides.
Like if there is a login page and it has two input boxes userid and password.
and if you have written a sql statement as follows
select * from tbllogin where username = '$_POST["userid"]' and password = '$_POST["pwd"]'suppose I give input as "vicky" for username and for password, I give
1' or '1'='1
then the statement will look like
select * from tbllogin where username = 'vicky' and password = '1' or '1'='1'as you can see from here now this statement will return record in any case, so user will always be able to login to the system.
I think this will give you a starting point to understand the problem.
nav33n
472
Purple hazed!
Team Colleague
Featured Poster
vicky_rawat
11
Junior Poster
Hi,
The best way to prevent SQL injection is using stored procedures with parameters.
Shanti C
106
Posting Virtuoso
Can u explain with details...vicky..please,,,
Shanti C
106
Posting Virtuoso
Hello all...
Any other information about this thread...
please post it...
Thanks...
praveen_dusari
11
Posting Whiz in Training
hi,shanti
SQL injection is a class of security problems in web applications caused by executing sql queries containing user-supplied text e.g. entered on an html form. An attacker can provide text that will do unexpected, possibly harmful, things.
Unfortunately the easiest way to write SQL queries in PHP is also the dangerous way:
mysql_query("UPDATE users SET age='$age' WHERE id = '$id'");
If the string $id is "foo' OR 'x'='x", the resulting query will be:
mysql_query("UPDATE users SET age=$age WHERE id = 'foo' OR 'x'='x'");
This will update age of every user, clearly not a good thing.
A safer way of doing this is:
if (get_magic_quotes_gpc()) {
$age = stripslashes($age);
}
mysql_query("UPDATE users SET age='".mysql_real_quote_string($age)."' WHERE id = '".mysql_real_quote_string($id)."'");
Shanti C
106
Posting Virtuoso
Thanks praveen...
Good Information...
Any other info, post again...
vicky_rawat
11
Junior Poster
hi Shanti,
As we know that stored procedures can be called in two ways:
1. stored procedure name and then list of the values that needs to be passed.
2. create parameters and then execute stored procedure with the parameters.
the 2nd one is best way to prevent SQL injection, as the values will not be passed directly in sql query.
so now 1' or '1'='1 will not be passed as itis within single quotes but passed as values of variables. so the query will try to check for 1' or '1'='1 in the respective column.
It will get clear from the following example.
CREATE PROCEDURE SP_ProductSearch @prodname varchar(400) = NULL AS
DECLARE @sql nvarchar(4000)
SELECT @sql = ' SELET ProductID, ProductName, Category, Price ' +
' FROM Product Where '
IF @prodname IS NOT NULL
SELECT @sql = @sql + ' ProductName LIKE @prodname'
EXEC sp_executesql @sql, N'@prodname varchar(400)',@prodname
Shanti C
106
Posting Virtuoso
Thank you vicky...
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.