1

Possible Duplicate:
Best way to stop SQL Injection in PHP

I'm currently designing and building my own content management system and my main worry is someone using an sql injection on my forms. I have a decent amount of security to get into my CMS but on the front end of the site I'll have a subscriber form and contact for which will link to my mySql database.

What tend to be the conventional PHP methods for preventing sql injection on forms?

any help would be great, thanks.

Community
  • 1
  • 1
huddds
  • 1,045
  • 6
  • 27
  • 47

3 Answers3

1

There's a function mysql_real_escape_string() which is generally seen as a basic requirement for preventing this kind of attack.

Don't forget to also set a character encoding. I'd suggest UTF-8. And make sure your HTML uses the same encoding as your database/tables.

Tyil
  • 1,797
  • 9
  • 14
-1

Probably one of the best solutions is to filter all incoming data with function mysql_real_escape_string

Justin
  • 9,634
  • 6
  • 35
  • 47
  • Thanks for all the comments, I'm sure I'll be able to find the method that works best now I've been pointed in the right direction. – huddds Dec 22 '11 at 11:34
  • this function has nothing to do with SQL injections at all. and it is not the "best" for sure. – Your Common Sense Dec 22 '11 at 20:15
  • @Col.Shrapnel - At least read the PHP manual on the function before you start commenting and downvoting people. – Tyil Dec 23 '11 at 15:12
  • @Tyil this manual page is wrong and decieving. Read other answers under sq-injection tag and try to understand the matter. – Your Common Sense Jan 03 '12 at 01:29
  • 1
    @Col.Shrapnel - Aha, so the **manual** is wrong, but **you** are right? Maybe, you should be writing the manual then. That way, there will be no errors at all. – Tyil Jan 03 '12 at 10:26
  • :) In small pages I'm always using mysql_real_escape_string and it worked each time... – Justin Jan 03 '12 at 13:09
  • @Tyil instead of practicing sarcasm you'd better try to understand the matter. – Your Common Sense Jan 03 '12 at 20:44
  • @Justin there are many answers under this tag explaining that "to filter all incoming data with this function" is completely wrong approach. It is up to you though, if you want remain under such a delusion. – Your Common Sense Jan 03 '12 at 20:47
  • @Col.Shrapnel - Instead of acting as if you're better than the rest of us here, and telling us how you are better than the manual, you could also answer the question with an answer which in your eyes would be valid. I believe this website is to learn, not to be bitched off...? – Tyil Jan 04 '12 at 09:29
-1

To protected yourself against SQL Injection you need to sanitize input and use parameter queries.

I'm not sure about PHP, but I think you have something like prepared statements. You should search and read a little about it.

Also, that is not the only problem you should care about, please (!!!) take a look at https://www.owasp.org/index.php/Main_Page

Bruno Costa
  • 2,708
  • 2
  • 17
  • 25
  • using both sanitizing input **and** using parameter queries at the same time makes no sense. and "sanitizing" just inputs is not enough – Your Common Sense Dec 22 '11 at 20:19
  • Col. Shrapnel, that was a "way of saying". But you're right. I also give the link of one of best source he can find to learn about it. – Bruno Costa Dec 23 '11 at 09:42
  • Such a "best" source has nothing to do with practical recommendations and solutions. It is way too broad link for such a question. – Your Common Sense Dec 23 '11 at 09:45
  • Dude, if he doesn't know how to prevent SQL Injection, then he REALLY needs that link at "way too broad". That is one of the base knowledge to develop a web application. Anyway, my answer is the best for him, he should read that and he should use parameter queries. AND he should also sanitize the input anyway. If you don't trust the input you should sanitizing input data, there's a lot of others vulnerabilities to take care about. – Bruno Costa Dec 23 '11 at 09:54