Comments on: SQL Injection: How To Prevent Security Flaws In PHP / MySQL

By: Sushilkumar Shinde

Sushilkumar Shinde — Fri, 05 Mar 2010 06:10:08 +0000

Thanks for such a nice and understandable information about sql injection. Now i can protect my website from this attack.

By: Jon

Jon — Wed, 17 Feb 2010 21:22:13 +0000

Eika, If your page looks like this:

$desc = $_POST['desc'];

You would just do this to prevent the SQL injection:

$desc = $_POST['desc'];
$desc = mysql_real_escape_string($desc);

and you’re set.

By: eika

eika — Tue, 02 Feb 2010 10:16:51 +0000

hi all..

I am a student and i am a new leaner. I would like to know how am i going to develop a coding to prevent sql injection attacks from scratch?

By: valentinstag karten

valentinstag karten — Mon, 01 Feb 2010 00:00:25 +0000

Very nice information.

By: Prakash Bhandari

Prakash Bhandari — Fri, 15 Jan 2010 05:29:14 +0000

Thanks for your article. It really works

By: read and learn

read and learn — Sat, 10 Oct 2009 23:55:59 +0000

the query has a few to many spaces (but didn’t type them in the message..)

also if you want to learn php sql and how to learn the security, don’t buy the basic books, buy the advanced in depth books. I made that error also and have a book written by matt rutledge for creating my own php games and there’s no real information on the subject of “mysql_real_escape_string()” usages. I’m sorry matt, the book is rather helpful on other fields of game devellopment…

By: read and learn

read and learn — Sat, 10 Oct 2009 23:51:10 +0000

I use this line of code to do stuff with the current user’s ID number.

$sql1 = “SELECT stuff FROM data WHERE id =’”.mysql_real_escape_string($idnumber).”‘”;

take notice of all the ‘”. usages.
also how to update stuff to 1 for that id number.

mysql_query(“UPDATE data SET stuff = ‘”.mysql_real_escape_string(1).”‘ WHERE id = ‘”.mysql_real_escape_string($idnumber).”‘”);

take a good look in the use of ‘”. signs.

By: arvind

arvind — Wed, 02 Sep 2009 06:47:25 +0000

‘ or ‘1′=’1
how to prevent sql injection when i am putting ‘ or ‘1′=’1
into url then data is coming so plz help me.

By: ryan

ryan — Wed, 05 Aug 2009 18:01:37 +0000

I found your article very good but you left me wondering about a few things. Why are you pulling all of the information from your SQL databases with select *? I also wanted to know if it is neccesary to put the mysql_real_escape_string everywhere the post command is even if a different function is running such as trim. Also what is the difference between mysql_realescape_string and mysql_escape_string?

By: Kidmenot

Kidmenot — Wed, 05 Aug 2009 17:28:44 +0000

Thanks , but could you tell me exactly where I would put the string to prevent an attack
Thanks