Hello, I am going to develop new websites and also have some information about sql injection but do not know about how to stop it. I have code like this mysql_query("select * from user where username ='".mysql_escape_string($user_name)."' "); is it enough to protect from mysql injection or have to do more if yes then Plz tell me about it's next step Thanks in advance
Please consider NOT using the deprecated mysql_-extension, instead start using either mysqli_ or PDO with prepared statements. Google "php prepared statements mysqli" for instance to get a list of tutorials and how-to's
Think of it this way. What input are you expecting? If what is entered is not like what your expecting them drop it.
Use mysql_real_escape_string along with utf8 encoding and you should be fine. If you are starting a new project, then like suggested above learn/use PDO instead.
When I input data on a database I always sanitize the data before I actually pass it on the sql. Then use PDO to make sure your data is clean.
You probably should go back and read the tutorial on PDO. With PDO you can parametrize your queries, removing the need to escape any included variables.
lol so you want me to use user-inputted data directly from $_POST / $_GET? Yes i do know that PDO can sanitize on queries. But it's been my practice to do sanitize and validate "uncontrolled" data as early as possible so I will be sure that throughout the program the "data" is the same.
No that is not what I said. Bind parameters. For example: $query = $db->prepare("SELECT whatever FROM blah WHERE username = :username;"); $query->execute(array(':username'=> $username)); This will prevent SQL Injection. As for protecting against XSS, HTML, Redirects etc escape your output (not input).
lol then why didn't you tell me to "go back" and read the PDO tutorial? My first advice to the OP is to sanitize the data then use PDO. I didn't mentioned that PDO can't sanitize the data. I'm talking about how "I" would do it if I were him.
"When I input data on a database I always sanitize the data before I actually pass it on the sql. Then use PDO to make sure your data is clean." That's my original advice for the OP.
That didn't answer my question. If you use parameterized queries with PDO you do not need to sanitize before hand to prevent SQL Injection which is the topic of the OP's posting. In addition, if you wanted to prevent XSS attacks, disable javascript and HTML this should be done on output and not input. These aren't codes that will harm your database.
So you really are saying that we can directly use data from $_POST / $_GET? And like I mentioned on my post above. I wanted to share to the OP some practices so if perhaps the OP wanted to use the data on another part of the code he's can be sure of the data "integrity" and "consistency". Again i've been saying over and over again since my first post That's why I included to use "PDO" to make sure that the data is clean. I KNOW that PDO can escape data but what's wrong on making sure that you have the right data before actually making a PDO instance? Could I remind you that the original question of the OP: The OP is open for suggestion to make sure his protected from any database injection. So i'm advising to be "strict" as possible when treating the data. If the sql needs an "email addresses" to retrieve results, wouldn't it be wise to check first if the "uncontrolled" data is actually an email before anything else as it's just plain stupid to continue if the "uncontrolled" data is not an email. If the sql needs an "integer" or any numerical value, wouldn't it be wise to make sure that we have that "integer" before making an sql? The thread starter is asking if what he did is "enough" and i'm only trying to share the good practices to him.
You can directly use $_POST / $_GET like so without worrying about SQL Injection: $query = $db->prepare("SELECT whatever FROM blah WHERE username = :username;"); $query->execute(array(':username'=> $_POST['username'])); Validation is not Sanitizing. Of course you would validate your data. If your user submits his age you obviously check to make sure it's in numeric format. My point is you do NOT need to check for SQL Injection prior to using PDO if you are using PDO correctly. You stated you sanitize THEN run it through PDO to make sure it's clean. I interpreted your post just as that.