www.webdeveloper.com
Results 1 to 2 of 2

Thread: Is my this password protection script safe from SQL injection?

  1. #1
    Join Date
    Jan 2003
    Location
    UK
    Posts
    267

    Is my this password protection script safe from SQL injection?

    Hi all,

    I've had a bit of trouble with this script I found. Someone entered in some junk into the password field and broke my website for 15 minutes. I couldn't get into FTP, or into my host's control panel.

    All they did was enter =='1=1

    That's a pretty bad flaw!

    I just don't know how to apply ctype_alnum to ensure that only alphanumeric values are read by this script, so I can prevent failures like this from happening again.

    Also is this script protected from SQL injection?

    pp.txt

  2. #2
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,529
    Well, if it broke when they entered that text, then it's probably not SQL injection proof.

    The best way (IMO) is to use the MySQLi or PDO database extension along with bound input parameters. If that is not feasible for some reason and you have to use the old (and now-deprecated) MySQLi extension, then you should cast any numeric field values to the appropriate type ( (int) or (float) ) or apply mysql_real_escape_string() to any character/string values.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles