Prevent MySQL Injection

What is the best method to insure mysql injection doesnt happen as a hack, also if you use page.php?content=$id. How do you prevent people from entering in random ids?

 

Use POST instead of GET.

 

Hello,

You can encrypt query string parameter so that no one know what parameter you are passing in query string....

 

That doesn't prevent anything.

Make sure the variables you enter in your query string only contain characters that are needed for each field. Use intval() on variables that should ONLY be numeric, and mysql_real_escape_string() on all others. Additionally you can use preg_replace() to filter out unwanted characters...

 

That was in response to this:

If I'm incorrect on this issue, I apologize.

 

Yes, but malicious people can still submit any data they want via a HTML form. Plus, according to the filename and variable being passed, it seems like he has a PHP navigation which shows different pages based on the variable. So I don't think using POST variables would really be a good solution here.

Sure, using POST is generally safer, I think. But I does not prevent MySQL injections, and isn't really appropriate here in my opinion.

 

Well here is what I have so far....

1. When possible I am trying to use non-standard spelling to variable names and table names i.e. instead of usname for username.
2. Variables do not exactly match mysql field names
3. Pages are only accessable when logged in, and I am checking for an nonstandard php session variable before runing any query.
4. Inserts / updates are done with a session variable added to all tables (to track who inserted the data).

Is there anything else I can do. My main concern is there is a semi-private content that can be displayed once logged in, and by randomingly guesinning the $id someone besides the user could intercept and change this data....

 

I always just use mysql_real_escape_string().

Does the job for me.

 

Perhaps this function might help:

Function Make_Safe($value) {
return mysql_real_escape_string($value);
}

Put all of your variables that your passing into your SQL statement into this function. For example:

$MyID = Make_Safe($MyID);

 

And why not directly using mysql_real_escape_string() ? lol

 

Because you can add other provisions into that function if you needed. mysql_real_escape_string() is not the only one you should use.

 

1. Always clean your content/id/paramater.
2. Perform a check to see if the requested info exists
3. if it exists, display results...

function clean_content($content) {
  $content = stripslashes(trim($content));
  $content = nl2br($content);
  $content = htmlentities($content);
  return $content;
}


$checkData = mysql_query("SELECT * FROM ".$table." WHERE ".clean_content($parameter)." = ....");
if (mysql_num_rows($checkData)!=0)
{
     //display data
}
else {
    //throw an error
}

PHP: