View Full Version : SQL Injection question

11-18-2007, 08:00 PM

Right now i'm working on a script that has input via either a form or GET, and goes straight in the DB without any kind of protection. However the script always adds http:// in front of the input before putting it into the DB e.g. 'google.com' becomes 'http://google.com'. So 'badcommandhere' becomes 'http://badcommandhere' etc. My question: is SQL injection still possible even WITH adding stuff (in this case http://) before the user input?


11-18-2007, 10:26 PM
yes, always escape

11-18-2007, 11:29 PM
What does escape do? - How does this prevent injections?

11-18-2007, 11:45 PM
It turn's quotes and other special chapters into into mySQL readable code.
example: " turn to \"
\ turn to \\
' turn to \'
and ect.

This prevent MySQL codes likes REMOVE database FROM heaven and other bad codes.

11-18-2007, 11:54 PM
I might add that you should use mysql_real_escape_string() and not mysql_escape_string().

Also, make sure that if you have magic quotes turned on, you'll want to use stripslashes() before calling mysql_real_escape_string().

See http://www.php.net/mysql_real_escape_string for more details.

11-19-2007, 05:27 PM
Or make your own life easier and use prepared statements. You won't have to worry about SQL injection any more as it is impossible.