Tycoon Talk
Become a Big fish!
The number 1 forum for online business!
Post topics, ask questions, share your knowledge.
Tycoon Talk is part of Freelancer.com - find skilled workers online at a fraction of the cost.

PHP Forum


You are currently viewing our PHP Forum as a guest. Please register to participate.
Login


Tycoon Talk > Web Development and Programming Support > PHP Forum > Question about PHP/MySQL security

Freelance Jobs

Reply
Question about PHP/MySQL security
Old 05-11-2011, 01:46 PM Question about PHP/MySQL security
Super Talker

Posts: 113
Trades: 0
Talkupation: Learnin' n00b is on a distinguished road
I'm making a database driven website and on some of the pages the content on the page changes depending on a variable in the URL. I'm using some code like this:

Code:
$var = isset($_GET['var'])?$_GET['var']:'default';
$query = 'SELECT tableCell from dataTable WHERE var =' . '"' . $var . '"';
$result = mysql_query($query);
$row = mysql_fetch_array($result, MYSQL_ASSOC);

//output data..
I'm not a very experienced PHP programmer, but I've heard about MySQL injections and other security problems and need advice. Do I need to do something to "secure" my code?

Thanks for your help
Learnin' n00b is offline
Reply With Quote
View Public Profile
 
 
Register now for full access!
Old 05-11-2011, 02:08 PM Re: Question about PHP/MySQL security
chrishirst's Avatar
Missing! presumed drunk.

Latest Blog Post:
A Simple DHTML Tabbed Interface
Posts: 42,385
Name: Chris Hirst
Location: Blackpool. UK
Trades: 0
Talkupation: chrishirst has a reputation beyond reputechrishirst has a reputation beyond reputechrishirst has a reputation beyond reputechrishirst has a reputation beyond reputechrishirst has a reputation beyond reputechrishirst has a reputation beyond reputechrishirst has a reputation beyond reputechrishirst has a reputation beyond reputechrishirst has a reputation beyond reputechrishirst has a reputation beyond reputechrishirst has a reputation beyond repute
Read the stickied thread at the top of the forum.
__________________
Chris. ->>
Please login or register to view this content. Registration is FREE
 <<-
A foolish consistency is the hobgoblin of little minds
Thought for today:- Is SEO the only industry where all the cowboys are Indians?
chrishirst is online now
Reply With Quote
View Public Profile Visit chrishirst's homepage!
 
Old 05-11-2011, 04:44 PM Re: Question about PHP/MySQL security
Super Talker

Posts: 113
Trades: 0
Talkupation: Learnin' n00b is on a distinguished road
Thanks for pointing me to the sticky topics. There are some really good articles in there.

So, just to make sure, all I need to do is use mysql_real_escape_string() on the "input" and then its safe to use in the MySQL query? Are there any other potential security problems I should be aware of?

Thanks a lot for your help!!
Learnin' n00b is offline
Reply With Quote
View Public Profile
 
Old 05-13-2011, 06:53 AM Re: Question about PHP/MySQL security
Super Spam Talker

Posts: 880
Name: Paul W
Trades: 0
Talkupation: PaulW has much to be proud ofPaulW has much to be proud ofPaulW has much to be proud ofPaulW has much to be proud ofPaulW has much to be proud ofPaulW has much to be proud ofPaulW has much to be proud ofPaulW has much to be proud ofPaulW has much to be proud ofPaulW has much to be proud of
Nope, not enough. Have a look at http://www.tizag.com/mysqlTutorial/m...-injection.php for some more simple tricks.
__________________

Please login or register to view this content. Registration is FREE
|
Please login or register to view this content. Registration is FREE


*** New:
Please login or register to view this content. Registration is FREE
PaulW is online now
Reply With Quote
View Public Profile
 
Old 05-13-2011, 06:57 AM Re: Question about PHP/MySQL security
lynxus's Avatar
Awesomeo-Maximo

Latest Blog Post:
IMsupporting Foresight ( Sneak peek ) – Live...
Posts: 1,618
Location: UK
Trades: 1
Talkupation: lynxus is a splendid one to beholdlynxus is a splendid one to beholdlynxus is a splendid one to beholdlynxus is a splendid one to beholdlynxus is a splendid one to beholdlynxus is a splendid one to behold
Quote:
Originally Posted by Learnin' n00b View Post
Thanks for pointing me to the sticky topics. There are some really good articles in there.

So, just to make sure, all I need to do is use mysql_real_escape_string() on the "input" and then its safe to use in the MySQL query? Are there any other potential security problems I should be aware of?

Thanks a lot for your help!!
Yeah pretty much.
You can try to make it safe before hand just by sanitizing what data should be there..
For example,
if its an email address, Use the mysql escape and also check that the email is in an email format.

You then have two lines of defence.

Quote:
Originally Posted by PaulW View Post
Nope, not enough. Have a look at http://www.tizag.com/mysqlTutorial/m...-injection.php for some more simple tricks.
Tizag pretty much just says to use mysql escape.




Code:
$var = isset($_GET['var'])?$_GET['var']:'default';

$var = mysql_real_escape_string($var);
$query = 'SELECT tableCell from dataTable WHERE var =' . '"' . $var . '"';
$result = mysql_query($query);
$row = mysql_fetch_array($result, MYSQL_ASSOC);
__________________

Please login or register to view this content. Registration is FREE

Please login or register to view this content. Registration is FREE


Please login or register to view this content. Registration is FREE
Please login or register to view this content. Registration is FREE
Last edited by lynxus; 05-13-2011 at 06:59 AM..
lynxus is offline
Reply With Quote
View Public Profile Visit lynxus's homepage!
 
Old 05-13-2011, 09:42 AM Re: Question about PHP/MySQL security
Super Talker

Posts: 113
Trades: 0
Talkupation: Learnin' n00b is on a distinguished road
Quote:
Originally Posted by PaulW View Post
Nope, not enough. Have a look at http://www.tizag.com/mysqlTutorial/m...-injection.php for some more simple tricks.
I don't understand, all that article says is to use mysql_real_escape_string(), right?
Learnin' n00b is offline
Reply With Quote
View Public Profile
 
Reply     « Reply to Question about PHP/MySQL security
 
Previous Thread | Next Thread Tycoon Talk > Web Development and Programming Support > PHP Forum > Question about PHP/MySQL security

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off




   
RSS Feed  Feeds: RSS   JS   XML
RSS Feed  Feeds for this forum: RSS   JS   XML



Page generated in 0.45903 seconds with 12 queries