Monday, June 20, 2011

mysql - sql injection prevention

If you have ever taken raw user input and inserted it into a MySQL database there's a chance that you have left yourself wide open for a security issue known as SQL Injection.


SQL injection is someone inserting a SQL statement to be run on your database without your knowledge. Injection usually occurs when you ask a user for input, like their name, and instead of a name they give you a MySQL statement that you will unknowingly run on your database.


for PHP users, All you need to do is use the function mysql_real_escape_string.


echo "Escaped Evil Injection:";
$name_evil = "'; DELETE FROM customers WHERE 1 or username = '"; 
$name_evil = mysql_real_escape_string($name_evil);
$query_evil = "SELECT * FROM customers WHERE username = '$name_evil'";


Result
Escaped Bad Injection:
SELECT * FROM customers WHERE username = '\'; DELETE FROM customers WHERE 1 or username = \''


SQL Hacks      SQL Injection Attacks and Defense     Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast

2 comments:

amit said...

You may join our community to write articles for sqldbasupport.com

GuildWars2Items said...

What gets us into trouble is not what we don't know.It's what we know for sure that just ain't so rs power leveling, Life is like a hot bath. It feels good while you're in it, but the longer you stay in, the more wrinkled you get rs item, life is too short to wake up in the morning with regrets. So, love the people who treat you rs items right and forget about the ones who do not.

D3 Gold Sale it takes strength to be polite to someone when that person has been rude to you, D3 Gold it takes strength to persist in the face of obstacles, when it would be much easier to simply give up Buy D3 Gold, It takes strength to do what must be done when the work is unpleasant and uncomfortable.