1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

MYSQL injection prevention.

Discussion in 'PHP' started by mintuz, Nov 21, 2010.

  1. #1
    what are the best methods for preventing MYSQL injection. I am currently using mysql_real_escape_string however when I look within my database it still excepts all the characters I inputted.
     
    mintuz, Nov 21, 2010 IP
  2. Deacalion

    Deacalion Peon

    Messages:
    438
    Likes Received:
    11
    Best Answers:
    0
    Trophy Points:
    0
    #2
    You're already preventing SQL injection using the best method available for PHP, mysql_real_escape_string.
    Your understanding of what it does just needs adjusting :).

    The idea is not to omit the characters that can be used maliciously, but to escape them with a backslash.
    So they lose their potential to be used this way and are rendered simply as text.

    It's when you're not seeing the text in the database that you need to start worrying. :)
     
    Deacalion, Nov 21, 2010 IP
  3. kevin5fan

    kevin5fan Peon

    Messages:
    9
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #3
    vBulletin 3.8.4 has many venerabilities for SQL Attacks
     
    kevin5fan, Nov 21, 2010 IP
  4. Deacalion

    Deacalion Peon

    Messages:
    438
    Likes Received:
    11
    Best Answers:
    0
    Trophy Points:
    0
    #4
    eh? who mentioned vBulletin?
     
    Deacalion, Nov 21, 2010 IP
  5. mfscripts

    mfscripts Banned

    Messages:
    319
    Likes Received:
    4
    Best Answers:
    8
    Trophy Points:
    90
    Digital Goods:
    3
    #5
    Another option, although a bit more heavyweight, is to use an db layer for your db connectivity. Doctrine or Propel ORM will provide you with a wrapper to your database and manage all the escaping automatically. Then there's no need to worry about it in each read/write request to the db.
     
    mfscripts, Nov 22, 2010 IP
  6. xpertdev

    xpertdev Peon

    Messages:
    54
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #6
    mysql_real_escape_string is the good method for preventing SQL injection.
    If you want to learn new things to prevent SQL injection then user PDO.
    Check here for PDO introduction and basic startup notes
    best of luck with PDO..
     
    xpertdev, Nov 22, 2010 IP
  7. ahmadmarafa

    ahmadmarafa Member

    Messages:
    15
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    36
    #7
    sorry for my bad english but the best way to prevent mysql injection is to check the data you expect
    for example if you expect that the user will input number check if it number .
     
    ahmadmarafa, Nov 23, 2010 IP