Hi, i am currently learning php security, have some questions i would like to ask the pros. Will using mysql_real_escape_string() prevent sql injection? What is php magic quotes? Do i need to use both in order to prevent injection? or just mysql_real_escape_string() will be good enough?
I always use htmlspecialchars() around my inputs to change any characters that are bad such as " to their html equivalent like & is & and a space is i suggest you try to set up a few forms using those functions, and try to break it yourself, that always helps with learning what works and what doesn't
Escapes special characters in the unescaped_string , taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used. mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
try to validate your inputs. Like if you like to have a numeric you use is_numeric Or if you want only chars a-z and 0-9 you have to use regex (eregi). Validate your input!!!
if(!function_exists('stripos')) {//stripos fonk varmı yok mu diye bakıyoruz function stripos_clone($haystack, $needle, $offset=0) { return strpos(strtoupper($haystack), strtoupper($needle), $offset);//yoksa strips_clone u tanımladık } } else { function stripos_clone($haystack, $needle, $offset=0) { return stripos($haystack, $needle, $offset=0); } } if(isset($_SERVER['QUERY_STRING'])) {//isset ile bir sorgu gelmiş mi dedik geldiyse işimize devam ediyoruz $queryString = strtolower($_SERVER['QUERY_STRING']);//sürekli uzun yazıyı yazmamak için az kısalttık if (stripos_clone($queryString,'%select%20') OR stripos_clone($queryString,'%20union%20') OR stripos_clone($queryString,'union/*') OR stripos_clone($queryString,'c2nyaxb0') OR stripos_clone($queryString,'+union+') OR stripos_clone($queryString,'http://') OR stripos_clone($queryString,'https://') OR (stripos_clone($queryString,'cmd=') AND !stripos_clone($queryString,'&cmd')) OR (stripos_clone($queryString,'exec') AND !stripos_clone($queryString,'execu')) OR stripos_clone($queryString,'union') OR stripos_clone($queryString,'concat') OR stripos_clone($queryString,'ftp://')) { $ip = $_SERVER['REMOTE_ADDR']; $sayfa = $queryString; $time = time(); die("Error"); exit; } } PHP:
I agree Sanitize your input with regexp. Use any sql escape method that you like from the previous output.
how would i go about this, there are 3 things i would like to validate for. each in a different form, one for one or two words, 0-30 characters one for a number, 1-3 digits one for a text block (paragraph) thanks =]
ive read tutorials and i still dont get how i would do this, can anyone help me out a little? thanks in advance
please start a new topic and explain what it is you need help with, as well as examples of your code if you are having any issues.
ive already created topics but they have been put to the end of the list within 2-3 days with no replies, i will create another.
htmlspecialchars() will only guard against attempted XSS atacks, not SQL injection. I would suggest using PDO if you have PHP 5.2 available on your server. The PDO prepare statement is a very simple way to guard against injection attacks and you aren't locked in to a specific set of *_real_escape_strings. If you change to postgres at some stage you won't have to hunt around for all of those instances of *_real_escape_string, PDO will let you change that in 2 seconds. http://www.php.net/PDO
Also I should mention checking out sites like Chris Shiflett's for PHP security articles (google search shiflett)
Well, I use a big application for this but in one line for full security use: base64_encode($string); PHP: For even more security, escape it, then when you get this from your database and you want to output it use: echo base64_decode($string); PHP: -AT-XE
also i don't think anyone's mentioned here. Make sure your user inputted data is actually in quotes in the SQL query when you are using mysql_real_escape_string() or it will have absolutely no affect on the ability to inject SQL
wait, so how could i do this? im a complete newbie to sql injection protection. i have my form, and i want the results to be properly escaped, and make sure that it is the correct type of data. (is_numeric for numbers), but see i dont know where i would put this. would i put in the form itself, or in the insert.php script etc?