SQL injections

Ok, I know this is dodgey ground for this forum, but the only reason I am interested in SQL injections is for security and hardening database apps. I just read this article:

http://www.sitepoint.com/article/sql-in ... acks-safe/

which is pretty good, and explains a good deal about the main types of injection technique, and some methods of preventing them. It is specifically geared towards ASP though. I tried googling for some PHP tutorials but came up with nothing much other than stuff to do with postnuke etc.

Does anyone know a good tutorial for preventing SQL injections in PHP/MySQL?

In addition, I didn't get what the the double hyphen ( -- ) at the end of the injection was all about?

Thanks guys

-- is a comment delimiter in SQL, keeps the last single-quote from causing ASP or the SQL parser from returning a syntax error.

For the most part, I'd guess that the hardening techniques presented in that article could be applied to PHP as well. I mean, really, both languages interact with HTML in similiar ways, though they have different built-in method to do it. Regardless, it's still POST or GET key/value pairs. If the key is passwd, you can manipulate the value.

The way I handle this in whatever language (I've done CF, PHP and ASP authentication schemes) is to never include a password argument in the WHERE clause. Ask the database about the username (which is, of course a unique index), then in your code, examine the passwords. If they put in some garbage for the username, the database will return an empty array (or recordset, or whatever it returns on your system). Also, remember, you're only looking for one record, after all, so there is no reason to loop through the returns.
.c

*EDIT:
Let me clarify what I mean by "Ask the database about the username" a little bit:

You might use, for example:


That's a very stipped down version, of course, but you get the picture, I think.