-3

I just thought about the safety of my php script and read a lot about sql injections.Now I have a question to save me from it.Is it right when my script doesnt accept characters like ' , ; or " ? Or I just catch this from my Android app ? So I just see the problem in these caracters. Am I right ? Or is there sth I dont see ? If not what would be the easiest way to safe it ?

Ahmet K
  • 713
  • 18
  • 42
  • 2
    Please be more specific. To prevent sql injections use prepared statements – Eric Anderson Dec 15 '14 at 18:07
  • I don't specificly ask HOW I prevent it.I just ask if I can reach the same solution with my idea. So dont accept characters like ' and " ... – Ahmet K Dec 15 '14 at 18:14

1 Answers1

1

never check the string for injection, all you need to do is not concatenate the variable.

  1. Use Prepared Statements.

a "example" in mysqli extract from http://www.wikihow.com/Prevent-SQL-Injection-in-PHP

$name = $_GET['username'];

if ($stmt = $mysqli->prepare("SELECT password FROM tbl_users WHERE name=?")) {

    // Bind a variable to the parameter as a string. 
    $stmt->bind_param("s", $name);

    // Execute the statement.
    $stmt->execute();

    // Get the variables from the query.
    $stmt->bind_result($pass);

   // Fetch the data.
   $stmt->fetch();

   // Display the data.
   printf("Password for user %s is %s\n", $name, $pass);

   // Close the prepared statement.
   $stmt->close();

}

read: http://www.veracode.com/security/sql-injection

if your idea is check the variables for ' or " or ;, it's a hard endless job and in the end can solve by using PDO statment.

Stefan Yohansson
  • 657
  • 5
  • 16