All inclusive MySQL data validation

Question

Possible Duplicate:
Best way to prevent SQL injection in PHP?

I am building my first online shop and i'm writing the PHP code myself and using a MySQL database. I have been advised that its really important to have data validation on inputs so that my database cannot be compromised. Can someone tell me what validation to include or maybe a trusted tutorial that is recommended.

Thanks in advance

Answer 1

Search this site for "Sql Injection". A common source of sql injection attacks is user-input which is not validated and is then trustingly concatenated before being sent to the database.

For example, if your statement is this:

select col1, col2 from mytable where id =' + <some variable> + ' and xyz = abc

(where 'some variable' is user input just passed on to the SQL)

then the user can input 'xxx''; delete from mytable; --'

and what the database gets is:

select col1, col2 from mytable 
where id ='xxx'; delete from mytable; --' and xyz = abc

causing havoc.

So the key issue here is: don't pass unvalidated, concatenated text to your database for it to execute.

You can achieve this in several ways:

• check the input for unwanted characters (difficult to cover everthing)
• build your SQL as parameterized SQL i.e. binding user input to parameters
• invoke stored procedures (I like them but they are not everyone's cup of tea)

I'd go for parameterized SQL as the database driver will take care of binding everything the user inputs as a single value, whilst at the same time keeping your business logic out of the database.

Answer 2

Mysql Validation means you have to prevent your queries from MySql injection. Please read the following to avoid mysql Injection.

http://rosstanner.co.uk/2012/01/php-mysql-preventing-mysql-injection/