insert into education (info) values (:thispost)

February 23, 2009

Check your input data before inserting it into an SQL Query.

The issue of SQL-Injection has been raised since like 5 years ago, and still there are people who keep ignoring it.

If you’re using PHP to query your database, make sure you’re not inserting crap first.

The easiest things you can do, and you can make it pretty complicated, are the following:

Check integers and ID’s given by the user

    if ( !is_numeric( $userinteger ) ) {
       return false;
    }

Don’t just insert strings, escape them

    $sql = "select * from users where username=':user' and password=SHA1(':pass')";
    $sql = str_replace( ":user", mysql_real_escape_string($user), $sql );
    $sql = str_replace( ":pass", mysql_real_escape_string($pass), $sql );
    $res = mysql_query( $sql );

And stop using MD5.

Entry Filed under: /roll. Tags: , .

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Trackback this post  |  Subscribe to the comments via RSS Feed

RSS Twitter

 

February 2009
S M T W T F S
« Dec   Mar »
1234567
891011121314
15161718192021
22232425262728

Categories

Blogroll

Meta