0

Can someone give me a little help with this? i have three PHP SQL querys, and i have to protect from SQL Injection. I am searching on google but i think is too hard for me, because it's combinated with PHP and i dont know munch about PHP and lees about SQL

if someone can give me the code protected I'll be grateful

the code:

$q=mysql_query("SELECT * FROM user where email= '".$_REQUEST['email']."'",$link );

$q=mysql_query("UPDATE user SET mobilePhone='".$_REQUEST['mobilePhone']."', fullName='".$_REQUEST['fullName']."' WHERE email='".$_REQUEST['email']."'",$link );

$q=mysql_query("UPDATE user SET mobilePhone='".$_REQUEST['mobilePhone']."' , fullName='".$_REQUEST['fullName']."', password='".$_REQUEST['password']."'  WHERE email='".$_REQUEST['email']."'",$link );
Cristian
  • 198,401
  • 62
  • 356
  • 264
NullPointerException
  • 36,107
  • 79
  • 222
  • 382
  • 1
    possible duplicate of [Best way to stop SQL Injection in PHP](http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php) – Daniel DiPaolo Dec 17 '10 at 18:42

3 Answers3

2

The least you can do to prevent SQL injection is to use mysql_real_escape_string function before any variables that go into your queries.

The best you can do is to use prepared statements to avoid SQL injection.

The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible).

Suggestion:

To be further on safer side, you should always use proper array eg $_POST or $_GET instead of $_REQUEST for security reasons.

Sarfraz
  • 377,238
  • 77
  • 533
  • 578
2

Well, the simple way would be to wrap each of the $_REQUEST vars in mysql_real_escape_string()...

$q=mysql_query("SELECT * FROM user 
    where email= '".mysql_real_escape_string($_REQUEST['email'])."'",$link );

The better way would be to use prepared queries. There are plenty of tutorials available on how to do it, so I'll leave that to you...

ircmaxell
  • 163,128
  • 34
  • 264
  • 314
1

Take a look at PHP's mysql_real_escape_string

Eamorr
  • 9,872
  • 34
  • 125
  • 209
  • prepared statements with placeholders are a much better practice. – Nathan Dec 17 '10 at 18:59
  • +1 as while prepared statements are better, that doesn't mean using `mres` is a **bad** thing. You're still safe... – ircmaxell Dec 17 '10 at 19:01
  • @ircmaxell nothing bad in mres, if used wisely. And a fool (loke OP) would fail with prepared. A brain is the only necessary thing, and the rest is optional. – Your Common Sense Dec 17 '10 at 20:29