Is my this password protection script safe from SQL injection?
Hi all,
I've had a bit of trouble with this script I found. Someone entered in some junk into the password field and broke my website for 15 minutes. I couldn't get into FTP, or into my host's control panel.
All they did was enter =='1=1
That's a pretty bad flaw!
I just don't know how to apply ctype_alnum to ensure that only alphanumeric values are read by this script, so I can prevent failures like this from happening again.
Well, if it broke when they entered that text, then it's probably not SQL injection proof.
The best way (IMO) is to use the MySQLi or PDO database extension along with bound input parameters. If that is not feasible for some reason and you have to use the old (and now-deprecated) MySQLi extension, then you should cast any numeric field values to the appropriate type ( (int) or (float) ) or apply mysql_real_escape_string() to any character/string values.
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
Reply With Quote
Bookmarks