Comments on: SQL Injection: How To Prevent Security Flaws In PHP / MySQL

By: shaheen

shaheen — Thu, 29 Sep 2011 05:54:23 +0000

for simple sql, how to prevent sql injection in php? for example select * from table1.

Thanks

By: ch4p1

ch4p1 — Sat, 06 Aug 2011 17:31:06 +0000

Hi !

Instead of use foreach, you can use array_map or array_walk :

function escape($var) {
return mysql_real_escape_string($var);
}

$post = array_map(“escape”, $_POST);

See u !

By: Robson Junior

Robson Junior — Fri, 15 Jul 2011 19:35:52 +0000

Amazing article. I was googling for a quick and easy way to prevent sql injection and i’m very glad to find this site. Information is very technical and fun to read at the same time.
Thanks so much for sharing this

By: Michael W

Michael W — Wed, 29 Jun 2011 06:17:19 +0000

“SELECT * FROM Products WHERE ID = “.mysql_real_escape_string($_GET["id"]);

Doing this would bypass mysql_real_escape_string:
vulnpage.php?id=1 UNION SELECT * FROM Users;

That is because that statement is just poor coding.

“SELECT * FROM `Products` WHERE `ID` = “.mysql_real_escape_string($_GET["id"].“’”);

That is a MUCH better way to write that statement that subverts SQL injections with the use of mysql_real_escape_string().

By: Larry

Larry — Mon, 13 Jun 2011 00:53:53 +0000

I sincerely hope that coders are paraphrasing their code and not actually using code such as “Select * from users where user = mysql_real_escape_string($_POST[user]… etc. etc.

At the VERY minimum coders need to be using a database abstraction layer that includes any necessary data conversions and safeguards.

By: Larry

Larry — Mon, 13 Jun 2011 00:44:13 +0000

No, Chris, hardcoded statements do not suffer from Sql injection attacks. An Sql injection attack is exactly that, an attack upon a web site from an outside source.

By: Chris

Chris — Sun, 12 Jun 2011 11:22:03 +0000

Are php sql statements only at risk from injection when you’re using user-input data as part of the sql string?

For example, if you have statements like:

$con = mysql_connect(“localhost”,”myname”,”password123″);
mysql_select_db(“mydb”, $con);
$result = mysql_query(“SELECT * FROM mytable”);
while($row = mysql_fetch_array($result))
{…etc etc etc

all hard coded into the php file and not using user input, is it at risk?

By: JD

JD — Fri, 27 May 2011 04:49:09 +0000

Thank you so much for the point that you must be connected to mysql for the mysql_real_escape_string() to work!! I had this set to my variables at the beginning of the code and couldn’t get it to work until I read your post.

mysql_connect(“localhost”, “username”, “password”);
$var = mysql_real_escape_string(stripslashes($_POST['var']));

then I could use $var all nice and clean

THANKS AGAIN

By: Edd lol

Edd lol — Wed, 06 Apr 2011 02:39:56 +0000

anywhere you have an SQL query that grabs typed user input and sends it to the database.

you can put it on the variable, on the right hand side, when you assign it the value of the user input.

or if you don’t use variables you can put the post/get/request function inside of it.

By: Ad

Ad — Mon, 04 Apr 2011 21:16:05 +0000

ubtng is right “mysqli_real_escape_string” does not defend against SQL Injection attacks and prepared statements and input validation are the way to go. Correct me if I’m wrong, but you can’t batch statements in MySQL? So \’; DESC users; – wouldn’t work…

You can however inject into numeric values where there is no single quote to break out of so if the site contains the following code:
“SELECT * FROM Products WHERE ID = “.mysql_real_escape_string($_GET["id"]);

Doing this would bypass mysql_real_escape_string:
vulnpage.php?id=1 UNION SELECT * FROM Users;