SQL Injection

  • mando
  • Student
  • Student
  • mando
  • Posts: 65

Post 3+ Months Ago

How can I protect my scripts against SQL Injection?

As of now, I run all data submitted through forms through a function that checks for the signs: = ; ' " > <

Is there anything else I should do?
  • meman
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3432
  • Loc: London Town , Apples and pears and all that crap

Post 3+ Months Ago

What you are already doing should be enough, It would prevent SQL injection and XSS.
I usualy strip everything apart from 1-0 a-z if i can.
  • mando
  • Student
  • Student
  • mando
  • Posts: 65

Post 3+ Months Ago

Thank you :)
  • squizzle
  • Born
  • Born
  • squizzle
  • Posts: 1

Post 3+ Months Ago

You can use the function mysql_real_escape_string
Moderator Remark: spam removed
  • onlyican.com
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1589
  • Loc: Hants, UK

Post 3+ Months Ago

I have a function before i use a variable in a query

PHP Code: [ Select ]
 
function MakeSafe($str, $make_lower = false){
 
if($make_lower){
 
$str = strtolower($str);
 
}
 
$str = stripslashes($str);
 
$str = trim($str);
 
$str = strip_tags($str);
 
$str = mysql_real_escape_string($str);
 
return $str;
 
}
 
 
 
//This makes a POST var secure and lowercase
 
$username = MakeSafe($_POST["username"], 1);
 
 
 
//This makes safe, and keeps the case the same
 
$name = MakeSafe($_POST["name"]);
 
 
  1.  
  2. function MakeSafe($str, $make_lower = false){
  3.  
  4. if($make_lower){
  5.  
  6. $str = strtolower($str);
  7.  
  8. }
  9.  
  10. $str = stripslashes($str);
  11.  
  12. $str = trim($str);
  13.  
  14. $str = strip_tags($str);
  15.  
  16. $str = mysql_real_escape_string($str);
  17.  
  18. return $str;
  19.  
  20. }
  21.  
  22.  
  23.  
  24. //This makes a POST var secure and lowercase
  25.  
  26. $username = MakeSafe($_POST["username"], 1);
  27.  
  28.  
  29.  
  30. //This makes safe, and keeps the case the same
  31.  
  32. $name = MakeSafe($_POST["name"]);
  33.  
  34.  


Note that by adding a 1 (or true, or anything) in the function, it makes it lowercase
Perfect for Username, passwords

and the functions in the main function MakeSafe() should prevent from Injection
  • cancer10
  • Proficient
  • Proficient
  • cancer10
  • Posts: 268

Post 3+ Months Ago

onlyican.com wrote:
I have a function before i use a variable in a query

PHP Code: [ Select ]
function MakeSafe($str, $make_lower = false){
if($make_lower){
$str = strtolower($str);
}
$str = stripslashes($str);
$str = trim($str);
$str = strip_tags($str);
$str = mysql_real_escape_string($str);
return $str;
}
 
//This makes a POST var secure and lowercase
$username = MakeSafe($_POST["username"], 1);
 
//This makes safe, and keeps the case the same
$name = MakeSafe($_POST["name"]);
 
  1. function MakeSafe($str, $make_lower = false){
  2. if($make_lower){
  3. $str = strtolower($str);
  4. }
  5. $str = stripslashes($str);
  6. $str = trim($str);
  7. $str = strip_tags($str);
  8. $str = mysql_real_escape_string($str);
  9. return $str;
  10. }
  11.  
  12. //This makes a POST var secure and lowercase
  13. $username = MakeSafe($_POST["username"], 1);
  14.  
  15. //This makes safe, and keeps the case the same
  16. $name = MakeSafe($_POST["name"]);
  17.  


Note that by adding a 1 (or true, or anything) in the function, it makes it lowercase
Perfect for Username, passwords

and the functions in the main function MakeSafe() should prevent from Injection



Your MakeSafe function willnot [revent this sql injection attack

Code: [ Select ]
union select 1,2,3,concat_ws(0x3a3a,xuser,xpass),5,6,7,8,9,10,11,12,13 from mytbl_login--
  • casablanca
  • Proficient
  • Proficient
  • User avatar
  • Posts: 481

Post 3+ Months Ago

@cancer10: This thread is almost 3 years old; I doubt anyone is still following it up.

Post Information

  • Total Posts in this topic: 6 posts
  • Users browsing this forum: No registered users and 1 guest
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.