Skip to content
March 18, 2008 / ranacse05

SQL Injection Again ??


Few days ago i wrote a post on SQL Injection and its protection.Here is a better way to protect the Database from SQL Injection.Just write a function like this

function safe_query( $value )
{
if( get_magic_quotes_gpc() )
{
$value = stripslashes( $value );
}
//check if this function exists
if( function_exists( “mysql_real_escape_string” ) )
{
$value = mysql_real_escape_string( $value );
}
//for PHP version < 4.3.0 use addslashes
else
{
$value = addslashes( $value );
}
return $value;
}
Now use it like this
$id = safe_query($_POST[‘product_id’]);
$sql = “Select quantity,price from $product where id=’$id’ ;”;
$re = mysql_query($sql);
Advertisements

3 Comments

Leave a Comment
  1. manchumahara / Mar 18 2008 5:52 pm

    thank you.

  2. pureform / Mar 19 2008 8:14 pm

    One thing I do if I know that the incoming var is an int is:

    $someID = intval($_POST["someID"]);

    That way if someone tries to hack into the app by sending “sasdfsff” as an ID it will ask the DB for 0 instead of "sasdfsff" … and that way you can omit the single quotes around the ID in the sql šŸ™‚

  3. ranacse05 / Mar 20 2008 8:35 am

    @pureform
    šŸ™‚ thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: