Programmer
Hey
What's the best way of securing MySQL & PHP from Injections from unauthorized people?
And other kinds of unsecured things?
Thanks in Advance!
Programmer
Best way to do this for inserting user input into the database, is to use the function mysql_real_escape_string and optionallly addslashes to prevent mysql errors caused by symbols such as ' and ". However for showing user input ( outputting it on your webpage ) the function htmlspecialchars, for example, could be used. This will prevent possible infected user input codes to be ran.
Programmer
Iv seen mysql_real_esape_string being used before, do i put this before each variable?
Any examples?!
Thanks again friend!
Programmer
An example would be:
So for example: say you've got a form field named 'username' and submitted using POST form mehtod. Then it would be something like this:Code:mysql_real_escape_string($variable);
Or in an example query:Code:mysql_real_escape_string($_POST['username'])
But just an exampleCode:mysql_query("INSERT INTO accounts(username)VALUES('".mysql_real_escape_string($_POST['username'])."') ");
And again, you're very welcome
Programmer
Thank's alot mate!
You're help is very appreciated with my project!
Programmer
Welcome - I'm glad I could help =]
Just let me know if there's anything more I can help with!
Programmer
Would the following be an example of the above executed correctly?
Code:<?php //Defines the function that will allow us to display only one post on click function get_content(mysql_real_escape_string($id = '')) { //Gets the ID number from the SQL Database if(mysql_real_escape_string($id = ''"): $id = mysql_real_escape_string($id); $sql = "SELECT * FROM cms where id = '$id'"; else: //If we dont specifiy an ID display everything $sql = "SELECT * FROM cms ORDER BY id DESC"; endif;
Programmer
I would rather do it like this:
As it's important to keep the $id outside the quotes of the query (so '$id' => '".$id."' so rather put mysql_real_escape_string inside that already).Code:<?php
//Defines the function that will allow us to display only one post on click
function get_content($id) {
//Gets the ID number from the SQL Database if not empty
if(isset($id) AND !empty($id)) {
$sql = "SELECT * FROM cms WHERE id = '".mysql_real_escape_string($id)."' ";
}else{
//If we dont specifiy an ID display everything
$sql = "SELECT * FROM cms ORDER BY id DESC";
}
}
But it could possibly work the way you put it yep
The idea is correct
Also notice you just set the SQL query yet, did not execute it so far in that script you supplied.
Programmer
Okay so I added them lines of code, in this following code cxan you see any more secuirty errors that may cause problems?
Also since iv added this extra sting it's been making my posts look funny, example:
It's never done that before, how do I reverse it?!What\'s coming next?
We will be developing the system further, creating user profiles, news sections and other features.\r\n
\r\nIn the coming week\'s you will see updates and changed to the whole system.\r\n
\r\nUnfortunately during that time the system may be down for upgrades, we apologize for any inconvenience caused during these downtimes. \r\n\r\n\r\n\r\n
Code:<!-- Copyright Jacob Clark 2010 | Fusion Strike Studios and Network --> <!-- Fusion Strike; Live! Was Developed In Loving Memory Of Frederick Clark --> <!-- Please Do Not Remove These Comments --> <?php include "config.php"; ?> <html> <head> <title>Fusion Strike; Live!</title> <link rel="stylesheet" href="style.css" type="text/css" > </head> <body> <img src="images/logo.png"> <br> <div id="page-wrap"><h6> <?php if($_SESSION['name'] == true AND !empty($_SESSION['name'])) { echo "Hey, ".$_SESSION['name']; //welcome user w/ username echo " | <a href='index.php'>Home</a> | <a href='logout.php'>Logout</a> | <a href='members.php'>Members</a>"; }else{ echo "<a href='index.php'>Home</a> | <a href='login.php'>Login</a> | <a href='register.php'>Register</a> | <a href='members.php'>Members</a>"; } ?> </div></h6> <div id="page-wrap"> <?php //Defines the function that will allow us to display only one post on click function get_content ($id = '') { //Gets the ID number from the SQL Database if($id !=""): $id = (mysql_real_escape_string($id)); $sql = "SELECT * FROM cms where id = '$id'"; else: //If we dont specifiy an ID display everything $sql = "SELECT * FROM cms ORDER BY id DESC"; endif; //If there was an error display it $res = mysql_query($sql) or die(mysql_error()); //This IF statment decides wether the ID tag you have enterd exists or not, if it does it //displays the post, if it doesnt it displays an error message if(mysql_num_rows($res) != 0): //How to display the posts while($row = mysql_fetch_assoc($res)) { //Makes posts titles into links echo '<h1><a href="index.php?id=' . mysql_real_escape_string($row['id']) . '">' . mysql_real_escape_string($row['title']) . '</a></h1>'; echo '<p>' . mysql_real_escape_string($row['body']) . '</p>'; echo'<br /><h6>Posted By: ' . mysql_real_escape_string($row['name']) . '</h6>'; } else: echo '<p>Oh Dear, This Is Embarrassing, It seems we cant find what your looking for!</p>'; endif; } //Ends Our Class ?> <?php //Displays the posts if(isset($_GET['id'])): get_content($_GET['id']); else: get_content(); endif; ?> <?php //DISPLAY ADMIN LINK //$result = mysql_query("SELECT * FROM regusers WHERE admin='$admin'"); //if(mysql_result($admin) == yes) { //echo "Test"; //}else{ //} ?> </div> <br> <div id="footer">Powered by Fusion Strike; Live! 1.0 Pre-Alpha | Fusion Strike © 2010<br> Fusion Strike and Fusion Strike; Live! © Copyright Jacob Clark 2010<br></DIV> </body> </html>
Programmer
Ah that's right. To output the text without the backshlashes shown, you can use stripslashes for the reversing effect.
So like:
Code:echo htmlspecialchars(stripslashes($variable));
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Bookmarks