Re: sql injection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



YOU can write (') characters in the database.. that fine..

mysql_real_escape_string avoid injections doing that: escaping characters
then when you put in a form

abc'''def

the query will be

INSERT ..... (name.....) VALUES ( 'abc\'\'\'def'....

each ' => \'

for me the steps are right

saludos

On Thu, May 29, 2008 at 4:10 PM, Sudhakar <sudhakararaog@xxxxxxxxx> wrote:
> i have implemented a way to avoid sql injection from the php website from
> this url
> http://in.php.net/mysql_real_escape_string  from the "Example #3 A "Best
> Practice" query" section of this page
>
> following are the steps i have followed after the form values are submitted
> to a php file.
>
> step 1.
>
> if(get_magic_quotes_gpc())
> {
> $username = stripslashes($_POST["username"]);
> .........
> }
>
> else
> {
> $username = $_POST["username"];
> .........
> }
>
> step 2.
>
> $conn = mysql_connect($hostname, $user, $password);
>
> step 3.
>
> $insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s',
> ...)", mysql_real_escape_string($username, $conn), ...);
>
> step 4.
>
>  if(!$conn)
>  {
> header("Location: http://website/dberror.html";);
> exit;
>  }
>
>  else
>  {
> mysql_select_db($database, $conn);
>
> $insertqueryresult = mysql_query($insertquery);
>
>
>  if(!$insertqueryresult) {
>  header("Location: http://website/error.html";);
>  exit;                  }
>
>  }
>
> with the above method i am able to insert values into the table even with if
> i enter the ' special character which can cause problems.
>
> i have also used a simple sql insert query like
>
> $insertquery = "INSERT INTO table(username, ...) VALUES ('$username', ...)";
>
> when i used this simple insert query and if i entered ' in the form and
> submitted the form the php file is unable to process the information entered
> because of the ' character and as per the code error.html file is being
> displayed where as if i use
>
> $insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s',
> ...)", mysql_real_escape_string($username, $conn), ...);
>
> even if i enter any number of ' characters in more than 1 form field data is
> being inserted into the table
>
> a)
> so i am thinking that the steps i have taken from the php site is correct
> and the right way to avoid sql injection though there are several ways to
> avoid sql injection.
>
> b)
> for example if i enter data in the form as = abc'''def for name, the data in
> the table for the name field is being written as abc'''def
>
> based on how i have written the steps to avoid sql injection is this the
> right way for the data to be stored with ' characters along with the data
> example as i mentioned = abc'''def
>
> please answer the questions a) and b) if there is something else i need to
> do please suggest what needs to be done exactly and at which step.
>
> any help will be greatly appreciated.
>
> thanks.
>



-- 
Los sabios buscan la sabiduría; los necios creen haberla encontrado.
Gabriel Sosa

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux