1

I need some help and very very fast because my database was injected. I need at least a script that won't allow users to use :[Spaces, Sybols like ('*','=','/','.') and a list of words ('SELECT','FROM','WHERE')] in the text fields of my register form.

I heared something about mysql_real_escape_string(). What is this command doing? And don't post links to PHP: mysql_real_escape_string() Manual because I already read that.

Victor
  • 109
  • 1
  • 14
  • 2
    If you want a "very very fast" solution, use PDO or MySqli commands instead. Mysql is depreciated at this time due to security and performance issues. – Anwar Dec 10 '14 at 08:34
  • Yes yes. I use mysqli i wrote mysql by mistake but tell me some of those mysqli commands – Victor Dec 10 '14 at 08:38
  • This user needs help very very fast, and instead everyone here recomends rewriting the application. – Marek Dec 10 '14 at 08:53

3 Answers3

2

There'a a right and a wrong way to approach this. The (usually) wrong way is to try and set up an input sanitation method (like a script) and hope that nothing gets through. It usually doesn't work.

What I recommend you to do is rewrite your PHP SQL queries to use MySQLi prepared statements. These are queries that are first converted from the common SQL syntax ("SELECT... WHERE...") to a statement your engine can work with, and only then are the fields replaced with your input, thus preventing SQL injection.

For example, the (very) susceptible SQL syntax:

"SELECT * FROM users_passwords WHERE user='" + user + "' AND pass='" + password + "'"

Can be converted to the following prepared statement:

"SELECT * FROM users_passwords WHERE user=? AND password=?"

And then, using the command bind_param(), you can safely replace the ? placeholders with your parameters after the statement is prepared. While the original SQL query allows you to use some basic injection techniques (like writing ' OR true OR '), prepared statements will not allow this.

Here's a working example:

// Create a new MySQLi connection object
$db = new mysqli('localhost','db_username','db_password','db_name');

// Create a new prepared statement
$stmt = $db->prepare('SELECT * FROM users_passwords WHERE user=? AND pass=?');

// Bind the parameters, in order, to the statement (s stands for string)
$stmt->bind_param('ss', username, password);

// Self-explanatory
$stmt->execute();
mittelmania
  • 3,393
  • 4
  • 23
  • 48
  • I already use mysqli in my scripts. I ONLY have mysqli statements in my scripts. But that won't help me if youre not giving me at least a command or a piece of code that prevent injection because I'm a beginer in php and I have no idea how to make that. – Victor Dec 10 '14 at 08:45
  • I attachhed a code example, I hope this helps (the prepared statement itself is designed to prevent injection) – mittelmania Dec 10 '14 at 08:47
0

If you are in PHP then why don't you do it in your PHP script. sanitize all your user provided input in GET and POST and then move it forward to DB calls. That is the right way to do it.

Nazgul
  • 1,892
  • 1
  • 11
  • 15
0

I would strongly avoid constructing SQL query strings from any input even if you sanitize it.
The good way for security purposes and performance is to use functions to set the parameters:

for example:
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->bindParam(1, $name);
$stmt->bindParam(2, $value);

see http://php.net/manual/en/pdo.prepared-statements.php

Hector
  • 151
  • 1
  • 4