My registration has the following code if (!get_magic_quotes_gpc()) { $_POST['pass'] = addslashes($_POST['pass']); $_POST['username'] = addslashes($_POST['username']); } PHP: I know it has something to do with single-quote, double quote, backslash and NUL's but with or without this code, when i register with those characters, i see no difference in the database. Can someone explain me what it's for? thanks...
this code which you've written here is not functional because it looks if get_magic_quotes_gpc functions exists. It is standart in php and this code won't work. remove the "if". just; $_POST['pass'] = addslashes($_POST['pass']); $_POST['username'] = addslashes($_POST['username']); PHP: should be okay.
in your code, it just check if a function such as "get_magic_quotes_gpc" exists or not. if not, action. that's why it was not working.
What i mean is, why adding slashes with or without it, i get an error when trying to log in while using those chars.
if you don't add slashes, you can easily get hacked via sql injection. a code somethink like in username field: 'DELETE FROM tablename WHERE 'x'='x works without slashes.
thx. I have just finished reading a little about SQL injections and i have a few more questions. My website has a lot of forms. adding slashes may work at registration since i store it and later i remove those slashes when i get the information but what can i do with the rest of my forms? even such as LOGIN. What if i just disallow sending those special characters, will it solve the problem?
Here is a function that I use while inserting data inte mysql: function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") { $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue; $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue); switch ($theType) { case "text": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "long": case "int": $theValue = ($theValue != "") ? intval($theValue) : "NULL"; break; case "double": $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL"; break; case "date": $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL"; break; case "defined": $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue; break; } return $theValue; } PHP: u can use like; $value1 = GetSQLValueString($_POST['username'], "text"); $value2 = GetSQLValueString($_POST['pass'], "text"); $value3 = GetSQLValueString($_GET['id'], "int"); etc.. this function will insert data to mysql correct, but yo mustn't use slashes on your query. for example: $sql = "INSERT INTO table (value, value2) VALUES ($value1, $value2)";
let me see if i understood since my english isn't that good. i can just use the function you gave and it will protect me from sql injections without using anything else (such as adding slashes)?
Ok, thanks a lot. but when using the function, i can't compare passwords\usernames therefore i have to use a "SELECT" quary before i use the function with my login and register code. is it dangerous?
it's not what i meant, but nvm, i fugured it out But i still have a few more questions (sorry, this issue is new to me) 1. I watch videos where people use SQL injections by inserting a password something like 'dddd or 1 = 1 but if the programmer encrypt the password before using any quary, how is that possible? or those websites just didn't use password encryptions?! 2. If i add a PHP code to give an error if the user use specific cheracters. wouldn't it solve the problem of sql injections by forms? and another thing about the function, i hope you'll understand what i mean. it adds single-quotes but despite that, the text looks the same or does the variable itself has some hidden configuration? if so, what do i do when i get the username from the cookie? do i have to use the function again?
Password fields where you can type things like: ' OR '1' = '1 are not encrypted or even parsed for quotes before executing the sql query - its an example of poor and sloppy coding. For storing passwords, you shouldn't just be escaping quotes within it, you should be hashing it with md5() or similar. That also rules out any possibility of SQL injection attacks (of course you still need to quote the username to prevent this).