Tycoon Talk
Become a Big fish!
The number 1 forum for online business!
Post topics, ask questions, share your knowledge.
Tycoon Talk is part of Freelancer.com - find skilled workers online at a fraction of the cost.

The Database Forum


You are currently viewing our The Database Forum as a guest. Please register to participate.
Login


Tycoon Talk > Web Administration Support > The Database Forum > Prevent SQL Attacks

Reply
Prevent SQL Attacks
Old 05-30-2009, 10:30 AM Prevent SQL Attacks
Experienced Talker

Latest Blog Post:
Anti-aging skin care, the easy and effective way
Posts: 44
Name: suraja
Trades: 0
Talkupation: suraja is on a distinguished road
Hey,
I am new to MySql and I was wondering how to prevent sql attacks. Would mysql_real_escape_string help? If so, where exactly should I insert it into a script?

Sorry if this question sounds silly, but I’m really new to this.
__________________

Please login or register to view this content. Registration is FREE
,
Please login or register to view this content. Registration is FREE
,
Please login or register to view this content. Registration is FREE
, and
Please login or register to view this content. Registration is FREE


Please login or register to view this content. Registration is FREE
suraja is offline
Reply With Quote
View Public Profile Visit suraja's homepage!
 
 
Register now for full access!
Old 06-01-2009, 12:00 PM Re: Prevent SQL Attacks
wayfarer07's Avatar
Poo on You

Latest Blog Post:
Introducing WowWindow
Posts: 3,985
Name: Abel Mohler
Location: Asheville, North Carolina USA
Trades: 0
Talkupation: wayfarer07 has a reputation beyond reputewayfarer07 has a reputation beyond reputewayfarer07 has a reputation beyond reputewayfarer07 has a reputation beyond reputewayfarer07 has a reputation beyond reputewayfarer07 has a reputation beyond reputewayfarer07 has a reputation beyond reputewayfarer07 has a reputation beyond reputewayfarer07 has a reputation beyond reputewayfarer07 has a reputation beyond reputewayfarer07 has a reputation beyond repute
mysql_real_escape_string (in PHP) is for filtering any public string (like in the url). By filter, I mean it removes any attempt at adding a SQL statement into a string.

Example (assume url website.com/?page=homepage):
PHP Code:
$clean mysql_real_escape_string($_GET["page"]);
//now this string will not contain a SQL injection and may be used in a query.
$sql "select * from content where page='$clean'";
$result mysql_query($sql); 
If this wasn't done, anyone could do something like this:
website.com/?page=homepage and ''=''
which would dump the whole database, depending on how the rest of the page is programmed. There are also a whole string of things that could be done to read things from the database, just depending on what is going on with your code. To be on the safe side, it is always a good idea to filter data you don't have 100% control over.
__________________
Join me on
Please login or register to view this content. Registration is FREE
wayfarer07 is offline
Reply With Quote
View Public Profile Visit wayfarer07's homepage!
 
Reply     « Reply to Prevent SQL Attacks
 
Previous Thread | Next Thread Tycoon Talk > Web Administration Support > The Database Forum > Prevent SQL Attacks

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off




   
RSS Feed  Feeds: RSS   JS   XML
RSS Feed  Feeds for this forum: RSS   JS   XML



Page generated in 0.18179 seconds with 12 queries