Anyone know how I can Protect my PHP/MySQL Applications from SQL Injection. (Database)

Thanks.

@ Poster

mysql_real_escape_string should solve the problem. Check out this link : http://php.net/mysql_real_escape_string

I believe it should help

I have an example of how to apply it

$username = mysql_real_escape_string($_POST['username']);
$password  = mysql_real_escape_string($_POST['password']);
$sql = "SELECT * FROM table_name WHERE user='$username' AND pass='$password'";

P.s  I do not advice storing passwords in plain text, what I wrote is just an example of how it should be applied. Do not SAVE passwords in plain text  during production.

- nitation

sql injection is majorly cause as a result of unverified/ unsanitized user input, so all u need to do is to make sure u sanitize all input passed in by user on any form that have a connection with ur database

nitation:

@ Poster

mysql_real_escape_string should solve the problem. Check out this link :
- nitation

as stated by nitation, mysql_real_escape($input); is a great funtion that can help sanitize all user input that contain characters use in a SQL statement and i think there are other php funtions that can be use or u can also define ur own funtion to do that.

nitation:


P.s I do not advice storing passwords in plain text, what I wrote is just an example of how it should be applied. Do not SAVE passwords in plain text during production.

nitation, i dont get u, pls explain

Try this code, you can add as a function, if you are using classes or just add as function on the page you are working on

function sql_quote($value)
{
    if( get_magic_quotes_gpc() )
    {
          $value = stripslashes($value);
    }
    //check if this function exists
    if( function_exists("mysql_real_escape_string" )
    {
          $value = mysql_real_escape_string($value);
    }
    //for PHP version < 4.3.0 use addslashes
    else
    {
          $value = addslashes($value);
    }
    return $value;
}

So on your sql query
for example
SELECT * FROM table WHERE id = sql_quote($id);

kolitos007:

Try this code, you can add as a function, if you are using classes or just add as function on the page you are working on

function sql_quote($value)
{
    if( get_magic_quotes_gpc() )
    {
          $value = stripslashes($value);
    }
    //check if this function exists
    if( function_exists("mysql_real_escape_string" )
    {
          $value = mysql_real_escape_string($value);
    }
    //for PHP version < 4.3.0 use addslashes
    else
    {
          $value = addslashes($value);
    }
    return $value;
}

So on your sql query
for example
SELECT * FROM table WHERE id = sql_quote($id);

sorry everybody , i dislike it when people copy paste codes here with no explanation , why ?
well, let me add this to what my pros has told the poster to do ,
you can additionly sanitize your use inputs again by using this
$username = strip_tags(mysql_real_escape_string($_POST['usernaem']));
use same for the passoword too
am out !

sega,

It is usually good coding practice to assign variables to your POSTs/GETs/REQUESTs for readability and maintenability

Consider this:
$username = $_POST['usernaem']);
$username = strip_tags(mysql_real_escape_string($username);

Of course, check my code for any errors.

Ofcourse mom ,
i no too dey like post codes here ,, its odd, i better give explanations , i no dey like all these copy paste friends here that wont solve posters problem but let them think "wow, see watin this guy that helped me put down from hin head"
just to help buddies here sha
well, i hope the guy has gotten enough help here

@sagsalerty

I am short of words, to be honest, so much for trying to help someone, yes this is my code, I have copied and just pasted it, like i said its a function, and you don't even need to make any changes to it, the user copies that code as it his, and just use the function simple.

Why don't you just explain to the person that needs help, instead of looking at what am doing, you are a such a mug!!

ah ah , funny buddy ,
you put up code and no explanation ? did you really helped him ? huh ?
men , tech someone how to catch fish not giving ready made roasted fish

abeg ! can you ask the poster if he doesnt know what GOOGLE does? did he tell us that he cant get help from GOOGLE or any seach engine by typing key word of the help he needed? wont that be wonderful and preferable coz GOOGLE can even link him to pages that have enough explanations of codes he is going to source from the page !
men , i know wat am saying , Better people enjoy what a forum entails,
well, thats enough i can say , , am out , i know those i contact for help that will explain to me into-to , nobody knows all
bye ,
na cafe i dey

@ Segs

What can I say?? Everyone na programmer now oo!

- nitation

@segsalerty
Well Boo Hoo to you then,what a plonker, so you are the super programmer, you don't even know who you talking to, you just start to throw insults at people you don't know, I find your comments very offensive and rude, I don't come on the forum and start to have a go at you for something you have said.

If I paste my code on it, its my own business, if the poster does not understand let him ask and then I explain to him, I don't need to explain myself to you, all I can say is I know your kind.

Good luck to you mate.

This guy segsalerty got on my nerves so am gonna chose to be more civil and explain to the geeza that needed help all over again.

Right my idea is for you to use functions, so that you can reuse it over and over again and it is not a mess when you are using it in your code so you can write your function and may be put it on top of your page if you are not using Object Orientated Programming OOP as it is called.

create the function below, assuming you have some knowledge of coding in php.

function sql_quote($value)
{
    if( get_magic_quotes_gpc() )
    {
          $value = stripslashes($value);
    }
    //check if this function exists
    if( function_exists("mysql_real_escape_string" )
    {
          $value = mysql_real_escape_string($value);
    }
    //for PHP version < 4.3.0 use addslashes
    else
    {
          $value = addslashes($value);
    }
    return $value;
}

so you start with checking if there are quotes, quotes can often be used for mail injection as well, hence yo have (get_magic_quotes_gpc(), this is a php function by the way.)
Once there are qoutes, then you will use mysql_real_escape_string,

if( function_exists("mysql_real_escape_string" )//you are now checking if there are special characters
if that is the case then the you do this " $value = mysql_real_escape_string($value);" which is what that muppet tried to explain earlier on, note that his function is a php5 and above function, and if you are using php4 or lower version then you use addslashes, as shown above.

So you now have your function and you now know what it does, all you need to do is call the function, so when you post for example $_POST['username'], all you need to do is set variable
$username = sql_quote($_POST['username']);

And user $username in your query.

If segsalerty is not happy with that, he can let me know "plonker"

why is it hard to help people here without insults and name calling.

Is that how you people learned?

Most of you got what you have from forums and on these forums, people only aim to help others and not try to prove they are better.

Its pathetic.

biggjoe:

why is it hard to help people here without insults and name calling.

Is that how you people learned?

Most of you got what you have from forums and on these forums, people only aim to help others and not try to prove they are better.

Its pathetic.

Thank you for that, I was just pissed off at first, and realise it is not worth it, am thinking of the poor guy that asked for help, I have been on other forums and posted, no one is going on about what you have done, they just post suggestions, but on this forum, when you try to help, people think you are trying to show off, it is just typical, if you think you know something its good to give your opinion, no matter how ordinary a coder you are, you may still be able to help, I have dealt with coders on a high lever way better than me, but yet they still ask when they don't know, that makes them bigger in my eyes and I give them a lot of respect, and thats why they are good at what they do.

I hope more people see sense like you do

For sure! My advice for you is to act dumb and let the "best" declare. Thank you for the summary!

- nitation

lol NL sickness, someone asks a Q, someone posts an A, another man pick A and starts prolonging the thread with it. why not let's pick the Q and extend it.

OP have you solved the problem? before person die for here.

maybe i shud share this.

I set up a function to check user input for strings like

0x, unionselect, outfile, load_file, unhex, hex, etc

you may want to strtolower() and do a trim on them, also put in mind that users might use 'select' as username.
i have had someone try to use unio[b]N[/b] se[b]L[/b]ect and it worked for him, or 'union select'

if it evaluates to true, then it opens the .htaccess file in append mode and appends

"\ndeny from ".$_SERVER['REMOTE_ADDR'];

trust me, he will need to use another ip and since he has no clue what is at the background, his new ip will also be blacklisted.
meanwhile at the background
there is also a mail() function which sends me a mail and since i spen most time online, i'll just log on to the cpanel log and have fun watching.

I think that will save u from sql injection

@webdezzi

@kehers
that is webdezzi

opps! did i just fart or waht