...

View Full Version : SQL Injection question



koolaid
11-18-2007, 08:00 PM
Hello,

Right now i'm working on a script that has input via either a form or GET, and goes straight in the DB without any kind of protection. However the script always adds http:// in front of the input before putting it into the DB e.g. 'google.com' becomes 'http://google.com'. So 'badcommandhere' becomes 'http://badcommandhere' etc. My question: is SQL injection still possible even WITH adding stuff (in this case http://) before the user input?

Thanks

GJay
11-18-2007, 10:26 PM
yes, always escape

Zeater
11-18-2007, 11:29 PM
What does escape do? - How does this prevent injections?

Dat
11-18-2007, 11:45 PM
It turn's quotes and other special chapters into into mySQL readable code.
example: " turn to \"
\ turn to \\
' turn to \'
and ect.

This prevent MySQL codes likes REMOVE database FROM heaven and other bad codes.

rpgfan3233
11-18-2007, 11:54 PM
I might add that you should use mysql_real_escape_string() and not mysql_escape_string().


Also, make sure that if you have magic quotes turned on, you'll want to use stripslashes() before calling mysql_real_escape_string().

See http://www.php.net/mysql_real_escape_string for more details.

aedrin
11-19-2007, 05:27 PM
Or make your own life easier and use prepared statements. You won't have to worry about SQL injection any more as it is impossible.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum