Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8

Thread: SQ Injections

  1. #1
    New Coder
    Join Date
    Jul 2011
    Posts
    22
    Thanks
    0
    Thanked 0 Times in 0 Posts

    SQ Injections

    Could someone give me a really quick, basic, detailed lesson on SQL injections. I've never used them before on my crappy games but I plan to keep this game online and this has to be done, ive looked online and one site says use statements, others say just use the addslash function then others say just escape it.. What the hell do I use? Please give an example of what I should be doing..

    Also, does this has to be done on everything with user input?

    UPDATE / INSERT / POST / GET ?

    Maybe make this a sticky for others.

  • #2
    ITS
    ITS is offline
    New Coder
    Join Date
    Jun 2011
    Posts
    10
    Thanks
    0
    Thanked 1 Time in 1 Post
    Hi
    Here you can find more details about sql injection tizag.com/mysqlTutorial/mysql-php-sql-injection.php

  • #3
    Regular Coder
    Join Date
    Dec 2007
    Posts
    145
    Thanks
    5
    Thanked 5 Times in 5 Posts
    Assuming you're using MySQL, use

    PHP Code:
    mysql_real_escape_string$_GET'var' ] ); 
    on each and every user input you plan on placing into a query.

    SQL Injection allows users to execute SQL commands. Using the function above renders the malicious input useless.

    NBS

  • #4
    New Coder
    Join Date
    Jul 2011
    Posts
    22
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by nobackseat88 View Post
    Assuming you're using MySQL, use

    PHP Code:
    mysql_real_escape_string$_GET'var' ] ); 
    on each and every user input you plan on placing into a query.

    SQL Injection allows users to execute SQL commands. Using the function above renders the malicious input useless.

    NBS
    Thank you for your help the both of you, really simple and gonna help me

    Just another question, you say I have to update the users input is this also on inserts and updates? I've included a picture with a few examples, is this correct?
    Attached Thumbnails Attached Thumbnails SQ Injections-sql.jpg  

  • #5
    Super Moderator guelphdad's Avatar
    Join Date
    Mar 2006
    Location
    St. Catharines, Ontario Canada
    Posts
    2,634
    Thanks
    4
    Thanked 148 Times in 139 Posts
    You need to escape all user input. if you don't you are vulnerable to attacks.

  • #6
    Regular Coder
    Join Date
    Dec 2007
    Posts
    145
    Thanks
    5
    Thanked 5 Times in 5 Posts
    No, no, you still use

    PHP Code:
    mysql_query$sql ); 
    to execute your SQL.

    The function I gave in my previous post is just a function that returns an escaped value. That value can then be placed into a query of any kind (INSERT, DELETE, UPDATE, etc).

    NBS

  • #7
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    27,615
    Thanks
    80
    Thanked 4,635 Times in 4,597 Posts
    We should point out that, in general, parameterized queries are not subject to SQL injection.

    They may be a pain to use, but they can reduce your exposure tremendously.

  • #8
    Supreme Master coder! abduraooft's Avatar
    Join Date
    Mar 2007
    Location
    N/A
    Posts
    14,865
    Thanks
    160
    Thanked 2,224 Times in 2,211 Posts
    Maybe make this a sticky for others.
    We already have a sticky with a lot of info, including yours. See
    http://www.codingforums.com/showthread.php?t=91271
    The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •