View Full Version : SQL Injection question

11-18-2007, 07:00 PM

Right now i'm working on a script that has input via either a form or GET, and goes straight in the DB without any kind of protection. However the script always adds http:// in front of the input before putting it into the DB e.g. 'google.com' becomes 'http://google.com'. So 'badcommandhere' becomes 'http://badcommandhere' etc. My question: is SQL injection still possible even WITH adding stuff (in this case http://) before the user input?


11-18-2007, 09:26 PM
yes, always escape

11-18-2007, 10:29 PM
What does escape do? - How does this prevent injections?

11-18-2007, 10:45 PM
It turn's quotes and other special chapters into into mySQL readable code.
example: " turn to \"
\ turn to \\
' turn to \'
and ect.

This prevent MySQL codes likes REMOVE database FROM heaven and other bad codes.

11-18-2007, 10:54 PM
I might add that you should use mysql_real_escape_string() and not mysql_escape_string().

Also, make sure that if you have magic quotes turned on, you'll want to use stripslashes() before calling mysql_real_escape_string().

See http://www.php.net/mysql_real_escape_string for more details.

11-19-2007, 04:27 PM
Or make your own life easier and use prepared statements. You won't have to worry about SQL injection any more as it is impossible.

EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum