Is my code safe from SQL injection

Question

This is my current code as it stands

$search=$_GET["Search"];
$search = addcslashes(mysql_real_escape_string($search), '%_');

THIS CODE WAS GENERATED BY DREAMWEAVER CS4 FROM HERE ON

if (!function_exists("GetSQLValueString")) {
    function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
    {
      if (PHP_VERSION < 6) {
        $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
      }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

mysql_select_db($database_Echos, $Echos);

SQL Satement that Querys the db

$query_Recordset1 = "SELECT catelogue.ARTIST, catelogue.TITLE, catelogue.`CAT NO.`, catelogue.FORMAT, catelogue.`IMAGE PATH` FROM catelogue WHERE catelogue.TITLE LIKE '%$search%'";

More Dremweaver code

 $Recordset1 = mysql_query($query_Recordset1, $Echos) or die(mysql_error());
    $row_Recordset1 = mysql_fetch_assoc($Recordset1);
    $totalRows_Recordset1 = mysql_num_rows($Recordset1);

After this the data gets displayed in a table format

I'm still new to this all and in recent days have found out that you can put staements into my search term and destroy 8 months of database work. It's not like the db isn't backed up but I'd like to rather be safe then sorry.

I have read that a prepared statement is the best way to stop this How can I prevent SQL injection in PHP?.

But as I said I'm new to this and have very little understanding of this.

So Simple put is my code that DW created safe enough

Are there things that should change to make it simpler

And if it's not safe enough how do I make it safer?

Do I use a prepared staement here? If so can someone please explain how to use it here

Please any help would be much appreciated

score 6 · Accepted Answer · answered Jan 05 '12 at 12:17

6

Your code is suffering from a lot of bad practices, but it isn't totally insecure or totally bad as the usual pieces of PHP code I'm used to seeing.

To put it in simple terms - you don't want to use PHP's mysql_ functions. What you should do is use PDO.

mysql_real_escape_string is safe but not 100%. For better explanation refer to the link that explains when mysql_real_escape_string is vulnerable.

So what you would do is create prepared statements with PDO and then you bind the input values. PDO cleans them according to the character set and database being used, which makes it 100% safe and without worrying whether you missed out on something or not.

answered Jan 05 '12 at 12:17

N.B.

13,688
3
45
55

So in simple terms a prepared statemant looks at all the characters in your db and then only allows those characters – Mark Jan 05 '12 at 12:20
Prepared statement is a query that you send to the database, it gets parsed and "precompiled" in such a way that you only send parameters to the db server and it knows how to use them in the query - therefore, it's parse once, use multiple times with different values. So, what the PDO will do is check what db driver is being used (MySQL, PostgreSQL, MSSQL etc) and what character set (UTF8 or something else) and it will know how to treat certain special characters according to the information it obtained. Therefore, it'll clean those special characters properly and they'll be "safe" to use. – N.B. Jan 05 '12 at 12:31
With PDO then do I have to install something to make the code work or is it already complete with wamp that I can just change my code – Mark Jan 05 '12 at 12:58
If you have PHP 5.1 or larger, you have `PDO`. – N.B. Jan 05 '12 at 13:02
Ok I have 5.3.8. So do I have to change all my code, or how much of it must change – Mark Jan 05 '12 at 13:17
Since I don't really have time to guide you step by step trough PDO, I'll just suggest to read about it at the php's website and to find some examples online how it's used. – N.B. Jan 05 '12 at 13:22
Your Help is much appriciated. Thanks N.B. – Mark Jan 05 '12 at 13:24

Is my code safe from SQL injection

1 Answers1