-4

Possible Duplicate:
Best way to prevent SQL injection?

I just realized that the php script I use to pull mySQL data and display it on website is extremely vulnerable to SQL injection attacks. What practices are used to protect against these attacks?

Community
  • 1
  • 1
James Logan
  • 833
  • 1
  • 8
  • 8
  • 1
    Look at http://bobby-tables.com/php.html for examples of how to use parametrized queries in PHP. See also http://php.net/manual/en/security.database.sql-injection.php – Andy Lester Dec 02 '12 at 20:38

2 Answers2

0

Using mysqli_real_escape_string to escape whatever is going in is the least you should be doing.

You might also want to look into using prepared statements.

Read more here: http://php.net/manual/en/security.database.sql-injection.php

bear
  • 11,364
  • 26
  • 77
  • 129
  • 5
    Please do *not* use string escaping. The wise PHP programmer will use parametrized queries. – Andy Lester Dec 02 '12 at 20:38
  • I said it is the least he should be doing, there are obviously better methods such as parametrizing and using prepared statements. – bear Dec 02 '12 at 20:39
  • 1
    Not to mention that prepared statements aren't available everywhere (read: `mysql_*`), and yes, I know developers shouldn't be using that set of functions, but the reality is that we are. – bear Dec 02 '12 at 20:43
0

All the comments to your post are good suggestions. I personally prefer using prepared statements through PHP's PDO.

Every parameter you get from the user (whether direct or indirect), every value you you insert into your query from a variable you didn't explicitly set, etc, should be inserted into your queries using prepared statements. No exceptions. More experienced developers can get away with a few exceptions, but I would recommend no exceptions, ever.

See PDO::prepare in the PHP documentation for some examples.

Levi
  • 2,103
  • 14
  • 9