SQL Injection question

koolaid

11-18-2007, 07:00 PM

Hello,

Right now i'm working on a script that has input via either a form or GET, and goes straight in the DB without any kind of protection. However the script always adds http:// in front of the input before putting it into the DB e.g. 'google.com' becomes 'http://google.com'. So 'badcommandhere' becomes 'http://badcommandhere' etc. My question: is SQL injection still possible even WITH adding stuff (in this case http://) before the user input?

Thanks

GJay

11-18-2007, 09:26 PM

yes, always escape

Zeater

11-18-2007, 10:29 PM

What does escape do? - How does this prevent injections?

Dat

11-18-2007, 10:45 PM

It turn's quotes and other special chapters into into mySQL readable code.
example: " turn to \"
\ turn to \\
' turn to \'
and ect.

This prevent MySQL codes likes REMOVE database FROM heaven and other bad codes.

rpgfan3233

11-18-2007, 10:54 PM

I might add that you should use mysql_real_escape_string() and not mysql_escape_string().

Also, make sure that if you have magic quotes turned on, you'll want to use stripslashes() before calling mysql_real_escape_string().

See http://www.php.net/mysql_real_escape_string for more details.

aedrin

11-19-2007, 04:27 PM

Or make your own life easier and use prepared statements. You won't have to worry about SQL injection any more as it is impossible.