How to make website more secured?

Question

Possible Duplicate:
Best way to stop SQL Injection in PHP

I have a question concerning the security of website. Actually I have used the queries as:

$name = $_POST['name'];
$sql = "INSERT INTO table (sno, name) VALUES('', '$name')";
mysql_query($sql);

Does this kind of coding assures the security from sql injection or others. If not what methods could we use to make our website secured?

Thanks in advance.

Uhhhhh...no. Your code is utterly vulnerable to SQL injection. — , Apr 23 '12 at 06:55
I am fairly new to PHP. I could not understand which one is the best way :( — Php Newbie, Apr 23 '12 at 07:06
you can read some answers on this site and then ask some certain question. — Your Common Sense, Apr 23 '12 at 07:20

score 1 · Answer 1 · answered Apr 23 '12 at 07:00

1

Use PDO with prepared statement and binding param

Here's the start.

answered Apr 23 '12 at 07:00

itachi

I think, you must start from most simple things. In my practice addslashes in 80% cases is all what you need). But this is my own opinion. – Valeriy Gorbatikov Apr 23 '12 at 12:01

score 0 · Answer 2 · answered Apr 23 '12 at 06:58

0

To protect yourself from sql-injections use PDO

In your case use mysql_real_escape_string($string) - but this is NOT ENOUGH SECURE. PDO )

answered Apr 23 '12 at 06:58

s.webbandit

what does it mean - "this is NOT ENOUGH SECURE?" any certain vulnerability you may show? – Your Common Sense Apr 23 '12 at 07:05
1

`http://stackoverflow.com/questions/1220182/does-mysql-real-escape-string-fully-protect-against-sql-injection#answer-1220516` - here is an explanation why it is not. – s.webbandit Apr 23 '12 at 08:57
PDO has the same vulnerability as well – Your Common Sense Apr 23 '12 at 08:59
at least out of the box, if you didn't set the encoding in the DSN or didn't set the compatibility mode off – Your Common Sense Apr 23 '12 at 09:07
so, it is knowledge that makes you secure, not some cargo cult "do this and be safe" – Your Common Sense Apr 23 '12 at 09:08
For example `index.php?ID=-1%20union%20all%20select%201000,999999999,999999999,-999999999`. `var_dump(mysql_real_escape_string($_GET['id']));` gives `-1 union all select 1000,999999999,999999999,-999999999` – s.webbandit Apr 23 '12 at 09:11
you have error after that code? I have no. – s.webbandit Apr 23 '12 at 09:22
there shouldn't be any errors. like you said to the OP, "in your case use mysql_real_escape_string($string)" - so, if used with their code, your imaginary input will cause no errors nor unexpected results - just 0 rows returned. – Your Common Sense Apr 23 '12 at 09:29

score -5 · Answer 3 · answered Apr 23 '12 at 07:00

-5

Also you can use addslashes php function:

<?php
    $name = addslashes($_POST['name']);
?>

answered Apr 23 '12 at 07:00

@itachi as a matter of fact, there is nothing essentially wrong with them – Your Common Sense Apr 23 '12 at 07:05
@YourCommonSense: I didn't say addlashes has something wrong. Point is Use proper tools for appropriate fields. – itachi Apr 23 '12 at 07:07
addslashes is a quite proper tool. especially when compared to mysql_real_escape_string used as is – Your Common Sense Apr 23 '12 at 07:09
1

@YourCommonSense: One perfect reason not to use addlashes is this (and why it isn't a proper tool in sql making safe)... addslashes() can be tricked into creating valid multi-byte characters out of invalid ones. Whenever a multi-byte character ends in 0×5c (a backslash), an attacker can inject the beginning byte(s) of that character just prior to a single quote, and addslashes() will complete the character rather than escape the single quote. In essence, the backslash gets absorbed, and the single quote is successfully injected. This opens the door for SQL injection attacks. – itachi Apr 23 '12 at 07:13
@itachi that's what I am talking about. mysql_real_escape_string can be tricked as well. As well as PDO prepared statement – Your Common Sense Apr 23 '12 at 07:19
@YourCommonSense: totally agree with you. – itachi Apr 23 '12 at 07:22

3 Answers3