-2

Possible Duplicate:
Best way to prevent SQL injection in PHP?

This is my code

$user_name = "admin";
$password = "123456";
$database = "jbit";
$server = "localhost";
$id = $_POST['id'];
$db_handle = mysql_connect($server, $user_name, $password);
$db_found = mysql_select_db($database, $db_handle);

if ($db_found) {

$SQL = "SELECT * FROM jbit WHERE htno='$id'";
$result = mysql_query($SQL);
$sum = "SELECT htno, SUM(tm) AS tech, ROUND(SUM(tm)/7.5, 2) AS divi, SUM(credits) AS cred , SUM(CASE WHEN credits <= 0 THEN 1 ELSE 0 END) AS log,
SUM(CASE WHEN credits > 0 THEN 1 ELSE 0 END) AS pass, SUM(CASE WHEN em >= 0 THEN 1 ELSE 0 END) AS atm, SUM(CASE WHEN em >= -2 THEN 1 ELSE 0 END) AS tot
FROM jbit WHERE htno='$id'";
$result1 = mysql_query($sum);

Please help me in making this code secured so that i can avoid SQL Injection

Community
  • 1
  • 1
EngineersHub EH
  • 37
  • 8
  • [The Great Escapism (Or: What You Need To Know To Work With Text Within Text)](http://kunststube.net/escapism/) – deceze Sep 23 '12 at 06:48

3 Answers3

3

Well it seems people are down voting you because you have demonstrated little effort in solving your problem. If you want to be safe from injection attacks than you must use either mysqli or PDO APIs with prepared statements. MySQL API will always be susceptible to injection, that's why it's not recommended to use.

It seems like you are at an early stage in your app so I would suggest refactoring to use a better API like MySQLi or PDO

noel
  • 2,257
  • 3
  • 24
  • 39
1

the better approach will be

  1. mysqli_query()
  2. PDO::query()

you can use the function below but i/we recommended you to not use function since the mysql_* now anymore maintained and updating by community .

Its for only your knowledge only

 $id = mysql_prep($_POST['id']);


function mysql_prep($value)
{
    $magic_quotes_active = get_magic_quotes_gpc();
    $new_enough_php = function_exists("mysql_real_escape_string"); // i.e. PHP >= v4.3.0
    if ($new_enough_php) { // PHP v4.3.0 or higher
        // undo any magic quote effects so mysql_real_escape_string can do the work
        if ($magic_quotes_active) {
            $value = stripslashes($value);
        }
        $value = mysql_real_escape_string($value);
    } else { // before PHP v4.3.0
        // if magic quotes aren't already on then add slashes manually
        if (!$magic_quotes_active) {
            $value = addslashes($value);
        }
        // if magic quotes are active, then the slashes already exist
    }
    return  $value ;
}

Good read

Best way to prevent SQL injection in PHP?

Community
  • 1
  • 1
NullPoiиteя
  • 56,591
  • 22
  • 125
  • 143
  • 4
    Really? Still catering to PHP <=4.3.0 when you should be using prepared statements in this day and age? – deceze Sep 23 '12 at 06:49
  • @deceze its just for OP knowledge – NullPoiиteя Sep 23 '12 at 06:51
  • 1
    Oh my god! It sounds like crappy copy/paste from some 10 year ago script. No offence registered user but i have seen your other answers (great quality) but this one was as if someone hacked in to your account and wrote it. – itachi Sep 23 '12 at 09:13
  • @itachi i made this to know the OP what happening before and what for now.. but my answer is good on mysql_* and the op did not specify the version and for better approach there is a link but after all i think this does not deserve the downvote if yes than please with reason – NullPoiиteя Sep 23 '12 at 09:17
  • 2
    @RegisteredUser The reason for downvoting was simple. use of `mysql_*` functions. If you look at any musql_* function reference in php documentation, you'l see that at the very top of the page, they put emphasis on not to use of this extension as deprecation process has already been started. Pointing a new programmer towards deprecated function deserves a negative vote in my opinion because in future, looking at this -1, another new programmer may want to know why using `mysql_*` got a negative response and is discouraged (Not everyone reads documentation specially new programmers). – itachi Sep 23 '12 at 09:38
-1
$id = mysqli_real_escape_string(($_POST['id']));

Filter every input with mysql_real_escape_sting.

If this doesn't work try the deprecated substitute available mysql_real_escape;

geekman
  • 2,224
  • 13
  • 17
  • So you already gave a deprecated function and also said, if that doesn't work, go back and use even a more deprecated function. A little bit speechless here. – itachi Sep 23 '12 at 09:16