http://php.net/manual/en/security.database.sql-injection.php Easiest way is to use mysql_real_escape_string or equivalent. You can also use an external ORM for database interaction or use prepared statements. #1, just don't ever trust any input from a user. Never allow any unsanetized $_POST, $_REQUEST, or $_GET variables anywhere in your code, especially in a database query.
AND always wrap single quotes around any data passed. "SELECT * FROM users WHERE userid=".mysql_real_escape_string($userid) would still allow an injection
Kyosys maybe i'm wrong but i really don't think your sample is a secure sample: "SELECT * FROM users WHERE userid=".mysql_real_escape_string($userid) ? I can do something like: -1 union select... I mean mysql_real_escape_string add a backslash to this characters \x00, \n, \r, \, ', " y \x1a. But what is my sql injection don't include this characters? You can do something like "SELECT * FROM users WHERE userid=".(int)$userid and problem solved (in this case i mean).
I think what he's saying is that this is not secure: $query = "SELECT * FROM users WHERE userid=".mysql_real_escape_string($userid); PHP: But something like this is: $query = "SELECT * FROM users WHERE userid='".mysql_real_escape_string($userid)."'"; PHP:
If the variable is a number then you can use abs((int)$_POST['x']) or simply $_POST['x']+=0; If the variable contains more than just numbers then you will need to use mysql_real_escape_string.
Yeah, that's what I was saying. Always wrap it around quotes as well, because my example would still allow an injection.
you can filter all your variables in $_POST/$_GET/$_REQUEST simply by a foreach loop : foreach($_REQUEST as $key=>$value) $_REQUEST[$key] = mysql_real_escape_string($value);