Hi everyone,
Can anyone tell me the security issues when passing url parameters for a forum. I'm building my own forums using dreamweaver and as I understand it, using url parameters make the site susceptible to sql injection.
Regards
Taffd

Recommended Answers

All 5 Replies

For an SQL query, use something like

$var = mysql_real_escape_string(htmlspecialchars($_GET['param']));
mysql_query($var);

I dunno, that's what I use. Let a real expert tell you. :P

lol.. hacker9801 is right.. htmlspecialchars will convert html characters like >, <, & to &gt; &lt; and so on.. and mysql_real_escape_string will escape all the special characters in user's input, like, /, ', " etc..

That's a good routine to use if your server is set up to use it properly.

mysql_real_escape_string will not work unless you are using at least PHP 4.3.0. Also, if magic quotes is turned on, you can get double backslashes.

As an alternative, you can try the following or modify it as necessary.

Prevent SQL Injection

The function on that page is commonly used for preventing SQL injection issues.

htmlspecialchars is also good for preventing cross-site scripting.

Thanks y'all, particularly to TopDogger, for the link. Maybe I should have been a little more specific.

I'm particularly interested in whether dreamweaver written code already takes these issues into account.

In light of your answers so far, I will revisit the code and try to work it out.
Regards
Taffd

I'm particularly interested in whether dreamweaver written code already takes these issues into account.

Nope.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.