need help to prevent sql injection

Question

hi i have the following statement

function count_rows($table_name, $condition = null, $debug = false)
{
    $query_result = $this->query("SELECT count(*) AS count_rows FROM " . $this->db_prefix . $table_name . " " . $condition, $debug);
    $count_rows = $this->sql_result($query_result, 0, 'count_rows');

    return $count_rows;
}

i have been using sql inject me addon for firefox and it gives me the error

A Mysql error has occurred while running the script:

The query you are trying to run is invalid
Mysql Error Output: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '))' at line 2
SQL Query: SELECT count(*) AS count_rows FROM database_auctions a WHERE a.active=1 AND a.approved=1 AND a.deleted=0 AND a.list_in!='store' AND a.catfeat='1' AND a.closed=0 AND (a.category_id IN ())

how to sanitize this query against sql injection??

Answer 1

As you can see near this part of your query:

AND (a.category_id IN ())

You don't actually give it a subquery/list of values. You need to do so to determine if the result holds the category_id specified.

To help protect against sql injections, I suggest using the mysqli extension from PHP. I believe they support prepared statements. By using prepared statements, you are discarding the use of string concatenation, and the server "prepares" the sql statement, so the query is only sent to the server once, and then only parameters are sent when you actually execute the SQL query.

http://php.net/manual/en/class.mysqli-stmt.php

http://php.net/manual/en/mysqli-stmt.prepare.php

Answer 2

It looks like when you pass the $contidion you are forgetting something here a.category_id IN () between the parentesis should be values. For avoid the SQL Injection check this