SQL Injections

Printable View

Show 40 post(s) from this thread on one page

24-11-2007, 04:18 PM
Hitman

SQL Injections

Hey!

I'm not good with security (lol), what do I need to do to secure my forums that put data into sql databases?

To stop sql injections, html etc?

Can somebody find me a tut or write the code with where it goes? I've used google, no use. I had it before, but the link is dead. :(
24-11-2007, 04:24 PM
MrCraig

Quote:

Originally Posted by Hitman

Hey!

I'm not good with security (lol), what do I need to do to secure my forums that put data into sql databases?

To stop sql injections, html etc?

Can somebody find me a tut or write the code with where it goes? I've used google, no use. I had it before, but the link is dead. :(

Use a cleaning function :)

PHP Code:

<? function clean($str) { $cl = strip_tags(addslashes(stripslashes(htmlspecialchars($str)))); return $cl; }

Then use the cleaning string when declaring vars.

eg

$v1 = clean($_GET[v1]);
24-11-2007, 04:43 PM
Hitman

Thanks! :)
24-11-2007, 04:53 PM
lolwut

mysql_real_escape_string() is the best thing to help you with this, but make sure you're connected to a database first or it won't work.
I.e:

PHP Code:

include something.php; $var = $_POST['var']; $newvar = mysql_real_escape_string($var);
24-11-2007, 05:03 PM
MrCraig

Dont mean to sound stupid, but what does mysql_real_escape_string do anyways ?

Like does it filter out commands or something?
24-11-2007, 06:20 PM
Florx

http://us.php.net/mysql_real_escape_string
24-11-2007, 09:37 PM
Beau

I'd suggest using sprintf as well:

PHP Code:

$query = sprintf("SELECT * FROM users WHERE username='%s'", mysql_real_escape_string($_POST['username']); $query = mysql_query($query);

That tells PHP beforehand what the string should look like, thus preventing injections somewhat.

Also, don't throw strip_tags, htmlspecialchars and mysql_real_escape_string into the one clean function. Make two; one for sanitizing and one for returning. Sanitizing will apply to all data going into the database (just need mysql_real_escape_string), and returning for data being echoed back to the user (htmlspecialchars imo, no need to strip the tags, just display everything back). You'll find yourself using a load of server resources if you echo everything back using mysql_real_escape_string.
24-11-2007, 11:13 PM
Hitman

Quote:

Originally Posted by Beau

I'd suggest using sprintf as well:

PHP Code:

$query = sprintf("SELECT * FROM users WHERE username='%s'", mysql_real_escape_string($_POST['username']); $query = mysql_query($query);

That tells PHP beforehand what the string should look like, thus preventing injections somewhat.

Also, don't throw strip_tags, htmlspecialchars and mysql_real_escape_string into the one clean function. Make two; one for sanitizing and one for returning. Sanitizing will apply to all data going into the database (just need mysql_real_escape_string), and returning for data being echoed back to the user (htmlspecialchars imo, no need to strip the tags, just display everything back). You'll find yourself using a load of server resources if you echo everything back using mysql_real_escape_string.

OK, so for everything put the mysql_real_escape_string, for things like signature etc put the htmlspecialchars (so no redirections etc).
24-11-2007, 11:26 PM
Beau

Quote:

Originally Posted by Hitman

OK, so for everything put the mysql_real_escape_string, for things like signature etc put the htmlspecialchars (so no redirections etc).

Pretty much. Thing is, you mightn't want to remove HTML from certain things, like news posts and stuff. That's why you don't want it all in the same function ;)
24-11-2007, 11:32 PM
Hitman

Quote:

Originally Posted by Beau

Pretty much. Thing is, you mightn't want to remove HTML from certain things, like news posts and stuff. That's why you don't want it all in the same function ;)

You're 2 steps ahead of me. :P

Show 40 post(s) from this thread on one page