-2

Possible Duplicate:
Best way to prevent SQL injection?

I'm working in one PHP project with MYSQL database. I read about SQL injection but would like to have some basic example. What would be happen if attacks.?

I'm new in this topic. Thanks

Dharman
  • 30,962
  • 25
  • 85
  • 135
user1812816
  • 21
  • 7

3 Answers3

4

There is a lot to tell, but I'll just say:

As a summary :

enter image description here

Alain Tiemblo
  • 36,099
  • 17
  • 121
  • 153
4

Basically if you have a SQL call like this:

"DELETE FROM Users WHERE InputtedName = '$name'"

People could input on the form: My Name' OR InputtedName != 'My Name

This would result in the following SQL Call, when $name is replaced with the inputted name from a form:

"DELETE FROM Users WHERE InputtedName = 'My Name' OR InputtedName != 'My Name'"

That would delete everything in your table! Not good! So to prevent this, you should use the mysql_real_escape_string() function on all user inputted data.

Alain Tiemblo
  • 36,099
  • 17
  • 121
  • 153
Wes Cossick
  • 2,923
  • 2
  • 20
  • 35
2

Say I have a table "Users" and someone is registering for an account on my site. They enter their username as '); drop table Users which would terminate my INSERT statement early and cause the users table to be deleted.

A good rule of thumb is to "sanitize" any data you receive from a user. To do this you'll want to use PHP's mysql_real_escape_string (deprecated). An even better option is prepared statements though they're longer and not always graceful.

$stmt = $mysqli->prepare('select name from users where id = ?');
$stmt->bind_param($id,'s');
$id = 'some_id';
$stmt->execute();
$stmt->bind_result($name);
$stmt->fetch(); //variable $name now has the value of the first result
jpumford
  • 573
  • 2
  • 9
  • All mysql_* functions (including `mysql_real_escape_string`) are deprecated. [Your options are MySQLi or PDO](http://php.net/manual/en/mysqlinfo.api.choosing.php) – Jocelyn Nov 20 '12 at 18:25