Member Avatar for Taffd

Hi everyone,
Can anyone tell me the security issues when passing url parameters for a forum. I'm building my own forums using dreamweaver and as I understand it, using url parameters make the site susceptible to sql injection.
Regards
Taffd

  • 4 Contributors
  • 5 Replies
  • 102 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by nav33n

Recommended Answers

All 5 Replies

Member Avatar for hacker9801

For an SQL query, use something like

$var = mysql_real_escape_string(htmlspecialchars($_GET['param']));
mysql_query($var);

I dunno, that's what I use. Let a real expert tell you. :P

Member Avatar for nav33n

lol.. hacker9801 is right.. htmlspecialchars will convert html characters like >, <, & to &gt; &lt; and so on.. and mysql_real_escape_string will escape all the special characters in user's input, like, /, ', " etc..

Member Avatar for TopDogger

That's a good routine to use if your server is set up to use it properly.

mysql_real_escape_string will not work unless you are using at least PHP 4.3.0. Also, if magic quotes is turned on, you can get double backslashes.

As an alternative, you can try the following or modify it as necessary.

Prevent SQL Injection

The function on that page is commonly used for preventing SQL injection issues.

htmlspecialchars is also good for preventing cross-site scripting.

Member Avatar for Taffd

Thanks y'all, particularly to TopDogger, for the link. Maybe I should have been a little more specific.

I'm particularly interested in whether dreamweaver written code already takes these issues into account.

In light of your answers so far, I will revisit the code and try to work it out.
Regards
Taffd

Member Avatar for nav33n

I'm particularly interested in whether dreamweaver written code already takes these issues into account.

Nope.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.