Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    Regular Coder
    Join Date
    Sep 2011
    Posts
    116
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Question about MySQL injection protection

    Well I've a question about protection for MySQL injection, I often see stuff like: mysql_escape_string which should protect against it. But well could someone explain me if it does work or it doesn't. And could someone show me a (other) method of protecting. Since I am pretty confused now. I've heard different stories.

  • #2
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,996
    Thanks
    79
    Thanked 4,433 Times in 4,398 Posts
    MySQL is not terribly prone to SQL Injection attacks. Much less so than SQL Server, for example. If, indeed, you use mysql_escape_string, along with making sure that numeric values *are* numeric, you should be completely protected.

    In fact, though, if you are coding in PHP you are pretty safe no matter what. That's because the MySQL library for PHP (or at least the default one...you could install a custom one) only allows for one query at a time.

    In general, SQL injection attacks take advantage of systems that allow multiple SQL statements in a single query. So they terminate the first query and then tack on a second (or 2nd, 3rd, etc.) query that does the real damage.

    Example (using PHP notation, but remembering this won't work with PHP's MySQL library):
    Code:
    $id = $_GET["id"];
    $sql = "SELECT * FROM users WHERE id = $id";
    Okay, suppose the hacker hit your site with the URL
    Code:
    www.yoursite.com/yourpage.php?id=1;drop table users
    If you code that naively, as shown, you will end up executing
    Code:
    SELECT * FROM users WHERE id = 1;drop table users
    KABLOOEY.

    In this case, mysql_real_escape_string wouldn't help you. What you really should be doing is ensuring that the variable $id contains *ONLY* an integer number--a valid id.

    Maybe, though, this is one reason that you see so many PHP programs that do
    [code]
    Code:
    $id = mysql_real_escape_string($_GET["id"]);
    $sql = "SELECT * FROM users WHERE id = '$id' "; // notice the apostrophes!
    By putting the ID value into the apostrophes, there is no possible way for the result to be taken as two separate queries.

    But once again, with the standard PHP library this isn't an issue, as PHP should only allow the first statement to execute.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #3
    Regular Coder
    Join Date
    Sep 2011
    Posts
    116
    Thanks
    1
    Thanked 0 Times in 0 Posts
    so if i am correct i don't take a risk when i put my own made register system online. Since me is told the escape string did make sense i used it so i could post a part of the code tomorrow when i am back on my pc. To see if it does make sense


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •