Tycoon Talk
Become a Big fish!
The number 1 forum for online business!
Post topics, ask questions, share your knowledge.
Tycoon Talk is part of Freelancer.com - find skilled workers online at a fraction of the cost.

PHP Forum


You are currently viewing our PHP Forum as a guest. Please register to participate.
Login


Tycoon Talk > Web Development and Programming Support > PHP Forum > want prevention from sql injection

Freelance Jobs

Reply
want prevention from sql injection
Old 04-01-2009, 02:21 PM want prevention from sql injection
Junior Talker

Posts: 3
Name: Hadi
Trades: 0
Talkupation: hadi_php is on a distinguished road
index.php

PHP Code:
<html>
<body>
<form action="insert.php" method="post">
Firstname: <input type="text" name="firstname" />
Lastname: <input type="text" name="lastname" />
Age: <input type="text" name="age" />
<input type="submit" />
</form>
</body>
</html
then insert.php

PHP Code:
<?php
function check_input($value)
{

// Stripslashes
if (get_magic_quotes_gpc())
  {
  $value stripslashes($value);
  }

// Quote if not a number
if (!is_numeric($value))
  {
  $value "'" mysql_real_escape_string($value) . "'";
  }
return $value;
}
$con mysql_connect("localhost""root""");
if (!$con)
  {
  die('Could not connect: ' mysql_error());
  }

mysql_select_db("injection"$con);

$fname check_input($_POST['firstname']);
$lname check_input($_POST['lastname']);
$age   check_input($_POST['age']);

$sql="INSERT INTO inject (FirstName, LastName, Age)
VALUES
($fname,$lname,$age)";
if (!mysql_query($sql,$con))
  {
  die('Error: ' mysql_error());
  }
echo "1 record added";
mysql_close($con)
?>

i use mysql_real_escape_string for the prevention..........is my code is ok? if ok then - when i paste in browser

PHP Code:
http://localhost/sql/insert.php?value=hacked 
then it add value like this



anybody plz help me.....how to prevent it????
hadi_php is offline
Reply With Quote
View Public Profile
 
 
Register now for full access!
Old 04-01-2009, 02:30 PM Re: want prevention from sql injection
NullPointer's Avatar
Will Code for Food

Latest Blog Post:
Start Services Using a Batch File
Posts: 2,815
Name: Matt
Location: Irvine, CA
Trades: 0
Talkupation: NullPointer has a brilliant futureNullPointer has a brilliant futureNullPointer has a brilliant futureNullPointer has a brilliant futureNullPointer has a brilliant futureNullPointer has a brilliant futureNullPointer has a brilliant futureNullPointer has a brilliant futureNullPointer has a brilliant futureNullPointer has a brilliant futureNullPointer has a brilliant future
That is happening because you're not checking if the values retrieved from post are null. You should validate user input rather than just use mysql_real_escape_string.
__________________

Please login or register to view this content. Registration is FREE
|
Please login or register to view this content. Registration is FREE
|
Please login or register to view this content. Registration is FREE
|
Please login or register to view this content. Registration is FREE
NullPointer is online now
Reply With Quote
View Public Profile Visit NullPointer's homepage!
 
Reply     « Reply to want prevention from sql injection
 
Previous Thread | Next Thread Tycoon Talk > Web Development and Programming Support > PHP Forum > want prevention from sql injection

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off




   
RSS Feed  Feeds: RSS   JS   XML
RSS Feed  Feeds for this forum: RSS   JS   XML



Page generated in 0.13648 seconds with 12 queries