Back To Website Security

SQL Injection

  • mando
  • Student
  • Student
  • No Avatar
  • Joined: Feb 26, 2006
  • Posts: 65
  • Status: Offline

Post September 8th, 2006, 9:33 pm

How can I protect my scripts against SQL Injection?

As of now, I run all data submitted through forms through a function that checks for the signs: = ; ' " > <

Is there anything else I should do?
  • Anonymous
  • Bot
  • No Avatar
  • Joined: 25 Feb 2008
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post September 8th, 2006, 9:33 pm

  • meman
  • Web Master
  • Web Master
  • User avatar
  • Joined: Aug 03, 2004
  • Posts: 3432
  • Loc: London Town , Apples and pears and all that crap
  • Status: Offline

Post September 9th, 2006, 5:14 am

What you are already doing should be enough, It would prevent SQL injection and XSS.
I usualy strip everything apart from 1-0 a-z if i can.
GodBeGone - Atheist Blog
  • mando
  • Student
  • Student
  • No Avatar
  • Joined: Feb 26, 2006
  • Posts: 65
  • Status: Offline

Post September 9th, 2006, 10:13 am

Thank you :)
  • squizzle
  • Born
  • Born
  • No Avatar
  • Joined: Sep 17, 2006
  • Posts: 1
  • Status: Offline

Post September 17th, 2006, 7:35 am

You can use the function mysql_real_escape_string
Moderator Remark: spam removed
  • onlyican.com
  • Mastermind
  • Mastermind
  • User avatar
  • Joined: Nov 20, 2005
  • Posts: 1589
  • Loc: Hants, UK
  • Status: Offline

Post September 17th, 2006, 8:41 am

I have a function before i use a variable in a query

PHP Code: [ Select ]
 
function MakeSafe($str, $make_lower = false){
 
if($make_lower){
 
$str = strtolower($str);
 
}
 
$str = stripslashes($str);
 
$str = trim($str);
 
$str = strip_tags($str);
 
$str = mysql_real_escape_string($str);
 
return $str;
 
}
 
 
 
//This makes a POST var secure and lowercase
 
$username = MakeSafe($_POST["username"], 1);
 
 
 
//This makes safe, and keeps the case the same
 
$name = MakeSafe($_POST["name"]);
 
 
  1.  
  2. function MakeSafe($str, $make_lower = false){
  3.  
  4. if($make_lower){
  5.  
  6. $str = strtolower($str);
  7.  
  8. }
  9.  
  10. $str = stripslashes($str);
  11.  
  12. $str = trim($str);
  13.  
  14. $str = strip_tags($str);
  15.  
  16. $str = mysql_real_escape_string($str);
  17.  
  18. return $str;
  19.  
  20. }
  21.  
  22.  
  23.  
  24. //This makes a POST var secure and lowercase
  25.  
  26. $username = MakeSafe($_POST["username"], 1);
  27.  
  28.  
  29.  
  30. //This makes safe, and keeps the case the same
  31.  
  32. $name = MakeSafe($_POST["name"]);
  33.  
  34.  


Note that by adding a 1 (or true, or anything) in the function, it makes it lowercase
Perfect for Username, passwords

and the functions in the main function MakeSafe() should prevent from Injection
Heal your mind, and the body will follow
  • cancer10
  • Proficient
  • Proficient
  • No Avatar
  • Joined: Jun 29, 2006
  • Posts: 268
  • Status: Offline

Post June 20th, 2009, 5:05 am

onlyican.com wrote:
I have a function before i use a variable in a query

PHP Code: [ Select ]
function MakeSafe($str, $make_lower = false){
if($make_lower){
$str = strtolower($str);
}
$str = stripslashes($str);
$str = trim($str);
$str = strip_tags($str);
$str = mysql_real_escape_string($str);
return $str;
}
 
//This makes a POST var secure and lowercase
$username = MakeSafe($_POST["username"], 1);
 
//This makes safe, and keeps the case the same
$name = MakeSafe($_POST["name"]);
 
  1. function MakeSafe($str, $make_lower = false){
  2. if($make_lower){
  3. $str = strtolower($str);
  4. }
  5. $str = stripslashes($str);
  6. $str = trim($str);
  7. $str = strip_tags($str);
  8. $str = mysql_real_escape_string($str);
  9. return $str;
  10. }
  11.  
  12. //This makes a POST var secure and lowercase
  13. $username = MakeSafe($_POST["username"], 1);
  14.  
  15. //This makes safe, and keeps the case the same
  16. $name = MakeSafe($_POST["name"]);
  17.  


Note that by adding a 1 (or true, or anything) in the function, it makes it lowercase
Perfect for Username, passwords

and the functions in the main function MakeSafe() should prevent from Injection



Your MakeSafe function willnot [revent this sql injection attack

Code: [ Select ]
union select 1,2,3,concat_ws(0x3a3a,xuser,xpass),5,6,7,8,9,10,11,12,13 from mytbl_login--
Interview Questions & Answers - http://www.focusinterview.com
My Profile: http://outlineme.com/cancer10
  • casablanca
  • Proficient
  • Proficient
  • User avatar
  • Joined: May 29, 2007
  • Posts: 481
  • Status: Offline

Post June 20th, 2009, 7:05 am

@cancer10: This thread is almost 3 years old; I doubt anyone is still following it up.
No Strings Attached: A JavaScript graphics demo.

Page 1 of 1

Post Information

  • Total Posts in this topic: 6 posts
  • Users browsing this forum: No registered users and 1 guest
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 2011 Unmelted, LLC. Ozzu® is a registered trademark of Unmelted, LLC.