Comments on: SQL Injection: How To Prevent Security Flaws In PHP / MySQL

By: Haq

Haq — Tue, 17 Aug 2010 19:57:52 +0000

Very good info to be shared with, I was wondering how to protect my website from sql injection. Now I have learned the real use of mysql_real_escape_string usage. Thank you very much.

By: FYI

FYI — Mon, 02 Aug 2010 02:29:52 +0000

Hey people i found something thats helpful for get values
you should also put a post if possible so hackers cant hack those

By: Hydronly

Hydronly — Sat, 03 Jul 2010 15:05:41 +0000

Thank you very much for your explanation. It helped me out a lot.

By: Pheesh

Pheesh — Tue, 22 Jun 2010 05:08:54 +0000

to prevent sql injection from url you would do the same thing as for POST,just do it for GET when you’re getting the data from the url.
//This stops SQL Injection in POST vars
foreach ($_POST as $key => $value) {
$_POST[$key] = mysql_real_escape_string($value);
}

//This stops SQL Injection in GET vars
foreach ($_GET as $key => $value) {
$_GET[$key] = mysql_real_escape_string($value);
}

By: Dyl

Dyl — Tue, 15 Jun 2010 21:35:07 +0000

Yeah, I would REALLY want to know how to prevent the SQL Injection from the URL.

By: Chantal

Chantal — Mon, 07 Jun 2010 15:33:08 +0000

Thanks for the great tutorial. I really appreciated the plain language and simplistic, easy-to-follow examples.

By: Robin

Robin — Fri, 09 Apr 2010 20:31:06 +0000

For everyone who’s interested in preventing SQL injection from user input, you might want to check our newly released opensource library ValidForm Builder.

Some of the key features are:
- Fully CSS and webstandards based forms (no tables)
- Prevent SQL Injection using both clientside and serverside validation
- Check http://www.validformbuilder.org/ for more information, tutorials, complete API reference guide and ofcourse the source download!

This is no commercial; it’s a free to use opensource library for creating webforms.

By: Rich

Rich — Tue, 30 Mar 2010 02:33:11 +0000

Great post! I was just wondering, though: how does mysql_real_escape_string protect you against ;DROP TABLE user; #? You can limit to what users can put into text fields, but doesn’t do any good if your script uses ‘get’ and a hacker can just put it into the url. I think what I can do with my script is to get rid of spaces all together when validating user input, since users should not use spaces in my case, anyways ;p

By: hacker

hacker — Mon, 22 Mar 2010 19:42:28 +0000

you can do it that way too
$username=mysql_real_escape_string($_POST['user']);
$SQL = “SELECT * FROM users WHERE username=’$username’ LIMIT 1″);
it is safer that way

By: Rhett Phillips

Rhett Phillips — Mon, 22 Mar 2010 18:50:26 +0000

Going off the last comment, here’s a quick method to cover all your bases in a pinch.

function me($v){return mysql_real_escape_string($v);}
if($_POST){foreach($_POST as $posts){$posts=me($posts);}}
if($_GET){foreach($_GET as $gets){$gets=me($gets);}}

Put these 3 lines on the same include page as your database class or wherever you connect to a mysql db, you’re all set. Remember three things:
(1) This is not the most efficient method cause it has to work those strings every single time all the time.
(2) The escaping only works if you are connected to mysql.
(3) I only created a separate me() function for brevity and reuse on whatever.