Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    New Coder
    Join Date
    Aug 2007
    Posts
    24
    Thanks
    1
    Thanked 0 Times in 0 Posts

    SQL Injection question

    Hello,

    Right now i'm working on a script that has input via either a form or GET, and goes straight in the DB without any kind of protection. However the script always adds http:// in front of the input before putting it into the DB e.g. 'google.com' becomes 'http://google.com'. So 'badcommandhere' becomes 'http://badcommandhere' etc. My question: is SQL injection still possible even WITH adding stuff (in this case http://) before the user input?

    Thanks

  • #2
    Senior Coder
    Join Date
    Sep 2005
    Posts
    1,791
    Thanks
    5
    Thanked 36 Times in 35 Posts
    yes, always escape
    My thoughts on some things: http://codemeetsmusic.com
    And my scrapbook of cool things: http://gjones.tumblr.com

  • #3
    Banned
    Join Date
    Nov 2007
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts
    What does escape do? - How does this prevent injections?

  • #4
    Dat
    Dat is offline
    Regular Coder
    Join Date
    Oct 2007
    Posts
    147
    Thanks
    28
    Thanked 0 Times in 0 Posts
    It turn's quotes and other special chapters into into mySQL readable code.
    example: " turn to \"
    \ turn to \\
    ' turn to \'
    and ect.

    This prevent MySQL codes likes REMOVE database FROM heaven and other bad codes.

  • #5
    Regular Coder
    Join Date
    Mar 2005
    Location
    D0u$h!t3 k4?
    Posts
    512
    Thanks
    2
    Thanked 5 Times in 5 Posts
    I might add that you should use mysql_real_escape_string() and not mysql_escape_string().


    Also, make sure that if you have magic quotes turned on, you'll want to use stripslashes() before calling mysql_real_escape_string().

    See http://www.php.net/mysql_real_escape_string for more details.
    PHP Code:
    $hello file_get_contents('hello.txt'); echo $hello
    hello

  • #6
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    Or make your own life easier and use prepared statements. You won't have to worry about SQL injection any more as it is impossible.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •