My SQL injection | How to avoid
I had created a application in PHP for my organisation, every thing is working fine and suddenly security team pops up in the middle and they send me a excel sheet in which they had mentioned MY SQL INJECTION, they uses the tool so whenever any user fetch or insert the database from the database my SQL Injection alert is pops up and they asked me to shutdown this application soon, which i don't want because i really worked hard to create this application .
So guys i need your help, Please let me know what i need to do now.
Thanks in advance
I'm sure some here will give you all sorts of advice, but the biggest would be to switch away from using MySQL_* php functions, going to PDO or mysqli_* and use 'prepared' queries.
+1, as long as you add that all external values are passed into those prepared statements via bound parameters.
Originally Posted by ginerjm
If you're stuck with using the deprecated mysql extension for some reason, then you must make use of mysql_real_escape_string() for all non-numeric values, and casting values to integer or float before using them as numeric values in your query. sprintf() can be useful for keeping your code organized:
But prepared statements with bound parameters is really the best way to go these days.
$sql = sprintf(
"SELECT * FROM foo WHERE id=%d and name='%s'",
prepared statements with bound parameters ? please elaborate with example
Why not look the subject up in the php manual?
I recommend the PDO route, as it keeps your application code more portable (as opposed to tightly coupling it to a specific DBMS).
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)