...

View Full Version : SQ Injections



hbro1095
07-15-2011, 07:42 AM
Could someone give me a really quick, basic, detailed lesson on SQL injections. I've never used them before on my crappy games but I plan to keep this game online and this has to be done, ive looked online and one site says use statements, others say just use the addslash function then others say just escape it.. What the hell do I use? Please give an example of what I should be doing..

Also, does this has to be done on everything with user input?

UPDATE / INSERT / POST / GET ?

Maybe make this a sticky for others.

ITS
07-15-2011, 08:40 AM
Hi
Here you can find more details about sql injection tizag.com/mysqlTutorial/mysql-php-sql-injection.php

nobackseat88
07-15-2011, 09:02 AM
Assuming you're using MySQL, use


mysql_real_escape_string( $_GET[ 'var' ] );

on each and every user input you plan on placing into a query.

SQL Injection allows users to execute SQL commands. Using the function above renders the malicious input useless.

NBS

hbro1095
07-15-2011, 12:31 PM
Assuming you're using MySQL, use


mysql_real_escape_string( $_GET[ 'var' ] );

on each and every user input you plan on placing into a query.

SQL Injection allows users to execute SQL commands. Using the function above renders the malicious input useless.

NBS

Thank you for your help the both of you, really simple and gonna help me :)

Just another question, you say I have to update the users input is this also on inserts and updates? I've included a picture with a few examples, is this correct?

guelphdad
07-15-2011, 03:25 PM
You need to escape all user input. if you don't you are vulnerable to attacks.

nobackseat88
07-15-2011, 07:11 PM
No, no, you still use


mysql_query( $sql );

to execute your SQL.

The function I gave in my previous post is just a function that returns an escaped value. That value can then be placed into a query of any kind (INSERT, DELETE, UPDATE, etc).

NBS

Old Pedant
07-16-2011, 12:11 AM
We should point out that, in general, parameterized queries are not subject to SQL injection.

They may be a pain to use, but they can reduce your exposure tremendously.

abduraooft
07-16-2011, 08:29 AM
Maybe make this a sticky for others.
We already have a sticky with a lot of info, including yours. See
http://www.codingforums.com/showthread.php?t=91271



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum