SQL Injections

Code Snippets
#1

Hi Guys,

I was just after some advice about sql injections. I am trying to create a small forum. I have a registration page and a simple submit page where users can enter information into various fields. Is there a standardized script I can include() on each page to stop users from being able to do stuff like drop tables, edit rows, by passwords basically prevent them from using any sql query within a input field? I would ideally like a script I can simply include on pages where user input is an option. Is this possible or do I have to cater to mysql injections individually?

Many thanks,

Sam

#2

You can prevent sql injections just by sanitizing values from input fields. If your database is MySQL, using function mysql_real_escape_string() should be enough to protect your database from hacking attempts.

#3

Hi

I thought that was the case, so if a create a new php file called injections.php and I place the mysql_real_escape_string() with in that and then use the php include(injections.php) function on each of my pages it should prevent attacks?

Don’t I have to put each variable inside the brackets of the mysql_real_escape_string() tho? For example my submit page contains the fields story, user, pass and my registration page contains other fields. Wont i need to inset all these fields insite the escape string before it will work?

mysql_real_escape_string($user, $story, $pass…)

Many thanks,

Sam

#4

Yes, you have to apply this function to each variable before using it in your sql query.

Sponsor our Newsletter | Privacy Policy | Terms of Service