-3

Possible Duplicate:
Best way to prevent SQL injection in PHP?

my code problem sory.

$yeri=no filtre;

mysql_query("Insert Into deney (vid,yazan,email,yorum,ip,tarih,durum,yeri) values ('$id', '$yazan', '$email', '$yorum', '$ip', Now(),'1','$yeri')");

How can I update data at the attack site to this inquiry? How do I get this precaution. How do update the data in my table

Community
  • 1
  • 1
Cialis Ccialis
  • 1
  • 1
  • 3
  • 1
    You should look at [mysqli::real_escape_string](http://php.net/manual/en/mysqli.real-escape-string.php) and also don't use `mysql_***` because its `depreciated` – Baba Oct 08 '12 at 19:03
  • How do they do it. What's going on here to write something like that. – Cialis Ccialis Oct 08 '12 at 19:06
  • @CialisCcialis I provided an answer, but I'm not sure I'm understanding what you are asking anymore. Is this a question about preventing SQL injection or learning how it's done? – jimp Oct 08 '12 at 19:12
  • I know now embed code, something which is mysql. – Cialis Ccialis Oct 08 '12 at 19:15
  • @CialisCcialis read http://php.net/manual/en/function.mysql-query.php - the thing on the red tinted background. That's why everyone's suggesting you use something else instead, mysql_query and associated functions will be removed in future versions of php. I suggested an alternative, even gave you code to connect to your database using the new way. – xception Oct 08 '12 at 19:17

2 Answers2

2

Use mysqli or PDO instead.

In pdo your code would look like - this is SAFE:

$query = $pdo->prepare("Insert Into
    deney (vid,yazan,email,yorum,ip,tarih,durum,yeri)
    values (:id, :yazan, :email, :yorum, :ip, Now(), 1, :yeri)");
$query->execute(array(
    'id' => $id,
    'yazan' => $yazan,
    'email' => $email,
    'yorum' => $yorum,
    'ip' => $ip,
    'yeri' => $yeri
));

This way PDO does the escaping for you and it's safe against sql injection.

To create a mysql connection via PDO use:

$pdo = new PDO("mysql:dbname=$dbname", $username, $password);

I usually add a 4-th parameter to that as well, since I like to write all my code in utf-8, 4th parameter is in my case array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8").

Just to clarify the following is NOT SAFE - DO NOT USE:

$pdo->prepare("Insert Into
        deney (vid,yazan,email,yorum,ip,tarih,durum,yeri)
        values ('$id', '$yazan', '$email', '$yorum', '$ip', Now(), 1, '$yeri')");

If you insist on using mysql_query, but that is NOT RECOMMENDED, you need to do it like this

mysql_query("Insert Into deney (vid,yazan,email,yorum,ip,tarih,durum,yeri) values ('"
    . mysql_real_escape_string($id) . "', '"
    . mysql_real_escape_string($yazan) . "', '"
    . mysql_real_escape_string($email) . "', '"
    . mysql_real_escape_string($yorum) . "', '"
    . mysql_real_escape_string($ip) . "', Now(),'1','"
    . mysql_real_escape_string($yeri) . "')");
xception
  • 4,241
  • 1
  • 17
  • 27
  • How do they do all right, but what problem to solve. You need to know – Cialis Ccialis Oct 08 '12 at 19:17
  • This is injection safe => sql injection can not happen with this. I don't know if you asked something above?!? – xception Oct 08 '12 at 19:18
  • How safe are they doing to me what this code but it is also required sample. mysql_query("Insert Into yorum (vid,yazan,email,yorum,ip,tarih,durum,yeri) values ('$id', '$yazan', '$email', '$yorum', '$ip', Now(),'1',''); DROP TABLE madvideo;--')"); @xception – Cialis Ccialis Oct 08 '12 at 19:20
  • 100% safe, this replaces `'); DROP TABLE madvideo;--` with `\'); DROP TABLE madvideo;--` - the `\` tells mysql that the ' after it does not end the variable. As long as you use it the way I wrote it, with the bound variables and calling execute on it with an associated array. – xception Oct 08 '12 at 19:25
  • mysql_query("Insert Into yorum (vid,yazan,email,yorum,ip,tarih,durum,yeri) values ('$id', '$yazan', '$email', '$yorum', '$ip', Now(),'1',''); DROP TABLE madvideo;--')"); no delete madvideo table error mysql. error logs. you have an error in your sql syntax; check manuel ..... 'DROP TABLE madvideo;-- not working sql injec @xception – Cialis Ccialis Oct 08 '12 at 19:30
  • @CialisCcialis updated answer again – xception Oct 08 '12 at 19:37
  • plase help my turkish langues i don't speak eng :( soryyy – Cialis Ccialis Oct 08 '12 at 19:38
  • Benim cevap güncellendiğinde, başka bir göz atın bu anlamak türk çevirmek için Google Translate kullanmak http://translate.google.com/ READ - http://www.php.net/manual/tr/ref.pdo-mysql.php - in turkish – xception Oct 08 '12 at 19:42
  • I just want to see how this deficit which the codes are doing it. Very kind of you, thank you. – Cialis Ccialis Oct 08 '12 at 19:47
0

You should escape all input with mysql_real_escape_string if you must use the old mysql extension or use the mysqli extension's prepared statements.

Note that the mysql_ functions are deprecated and you should not be using them if possible (and it should be in your case).

jimp
  • 16,999
  • 3
  • 27
  • 36