0

I have a problem. I mad an software application and everything is running perfectly, however i found out that it is unsafe to use because i didnt prevent SQL-Injections. I googled a bit and found that you could you mysql_real_escape_string. However if i add this around a variable in my php file the whole php file will stop working properly. Does anybody know how to fix this?

Here is a example php-file that i am using:

    <?php
            $server = "";
            $username = "";
            $password = "";
            $database = "";
            $con = mysql_connect($server, $username, $password) or die ("Could not connect: " . mysql_error());
            mysql_select_db($database, $con);
            $id = $_GET['id'];
            $sitze = $_GET['sitze'];
            $farbe = $_GET['farbe'];
            $kennzeichen = $_GET['kennzeichen'];
            $automarke =$_GET['automarke'];
            $rauchen = $_GET["rauchen"];
            $essen = $_GET["essen"];
            $trinken = $_GET["trinken"];                    
            //Insert Fahrten
            $sql = "INSERT INTO fahrzeuge (sitzplaetze, farbe, kennzeichen, automarke, rauchen, essen, trinken, user_user_id) VALUES ('$sitze','$farbe','$kennzeichen','$automarke','$rauchen','$essen','$trinken','$id')";
            if (mysql_query($sql) === TRUE) {
                $records[] = "success";
                $idfahrt= mysql_insert_id();
                $records[] = $idfahrt;
            } else {
                $records[] = "Es ist ein Fehler aufgetreten!!";
            }       
            //end Insert Fahrten

            mysql_close($con);
        echo $_GET['jsoncallback'] . '(' . json_encode($records) . ');';
?>
Carsten Massmann
  • 26,510
  • 2
  • 22
  • 43
Encanis
  • 33
  • 5
  • 3
    If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) [statements](http://php.net/manual/en/pdo.prepared-statements.php) instead, and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jun 12 '15 at 19:55
  • [Prevent SQL Injection.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Jun 12 '15 at 19:56
  • 4
    There are _millions_ of posts about sql injections and php on google, here on SO and everywhere else on the internet. None of that answered your question? – arkascha Jun 12 '15 at 19:58

0 Answers0