Need to know how to prevent Sql Injection

marlyandedsel · 09/03/2012, 17:33

Any one knows how? I just need to learn it how with explanation guys, or some example to do script, I have google it and I found something but I need another from here, I know someone knows how to explain it well.

badguy4you · 09/03/2012, 18:29

Escaping is the word

You Must prevent user from entering characters that is mainly used in DB Queries

I will give you an example of how the process is done

you have a simple DB Query like

Quote:

SELECT * FROM Accounts WHERE Name = 'badguy4you'

if you let users enter the ' symbol, they can exploit it to get other infromation like turning the above query to something like

Quote:

SELECT * FROM Accounts WHERE Name = 'badguy4you' AND Age = '31'

So you can simply do Escaping on any user input [that interferes with the DB] to prevent this exploit

this is just a brief for you, of course you can find a lot on the internet, JUST GOOGLE IT !

shadowman123 · 09/03/2012, 18:34

Check this Link

_Emme_ · 09/04/2012, 17:21

I wrote a simple function that parse queries and make them safe for one kind of SQL-injections. It's PHP, but as a programmer I'm sure you'll understand it.

Code:

function safe_query($query="") {
	global $_mysql_querys;
	if(stristr(str_replace(' ', '', $query), "unionselect")===FALSE AND stristr(str_replace(' ', '', $query), "union(select")===FALSE){
		$_mysql_querys[] = $query;
		if(empty($query)) return false;
		if(DEBUG == "OFF") $result = mysql_query($query) or die('Query failed!');
		else {
			$result = mysql_query($query) or die('Query failed: '
			.'<li>errorno='.mysql_errno()
			.'<li>error='.mysql_error()
			.'<li>query='.$query);
		}
		return $result;
	}
	else die();
}