www.webdeveloper.com
Results 1 to 6 of 6

Thread: My SQL injection | How to avoid

  1. #1
    Join Date
    Aug 2013
    Posts
    38

    My SQL injection | How to avoid

    Hi All,

    I had created a application in PHP for my organisation, every thing is working fine and suddenly security team pops up in the middle and they send me a excel sheet in which they had mentioned MY SQL INJECTION, they uses the tool so whenever any user fetch or insert the database from the database my SQL Injection alert is pops up and they asked me to shutdown this application soon, which i don't want because i really worked hard to create this application .

    So guys i need your help, Please let me know what i need to do now.

    Thanks in advance

  2. #2
    Join Date
    Jul 2013
    Location
    Voorheesville NY USA
    Posts
    517
    I'm sure some here will give you all sorts of advice, but the biggest would be to switch away from using MySQL_* php functions, going to PDO or mysqli_* and use 'prepared' queries.

  3. #3
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,147
    Quote Originally Posted by ginerjm View Post
    I'm sure some here will give you all sorts of advice, but the biggest would be to switch away from using MySQL_* php functions, going to PDO or mysqli_* and use 'prepared' queries.
    +1, as long as you add that all external values are passed into those prepared statements via bound parameters.

    If you're stuck with using the deprecated mysql extension for some reason, then you must make use of mysql_real_escape_string() for all non-numeric values, and casting values to integer or float before using them as numeric values in your query. sprintf() can be useful for keeping your code organized:
    PHP Code:
    $sql sprintf(
      
    "SELECT * FROM foo WHERE id=%d and name='%s'",
      (int) 
    $_POST['id'],
      
    mysql_real_escape_string($_POST['name'])
    ); 
    But prepared statements with bound parameters is really the best way to go these days.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  4. #4
    Join Date
    Aug 2013
    Posts
    38
    prepared statements with bound parameters ? please elaborate with example

  5. #5
    Join Date
    Jul 2013
    Location
    Voorheesville NY USA
    Posts
    517
    Why not look the subject up in the php manual?

  6. #6
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,147
    http://php.net/manual/en/pdostatement.bindparam.php
    http://php.net/manual/en/mysqli-stmt.bind-param.php

    I recommend the PDO route, as it keeps your application code more portable (as opposed to tightly coupling it to a specific DBMS).
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles