11 replies to this topic

[Bioshox]

Hey

What's the best way of securing MySQL & PHP from Injections from unauthorized people?

And other kinds of unsecured things?

Thanks in Advance!

[webcodez]

Best way to do this for inserting user input into the database, is to use the function mysql_real_escape_string and optionallly addslashes to prevent mysql errors caused by symbols such as ' and ". However for showing user input ( outputting it on your webpage ) the function htmlspecialchars, for example, could be used. This will prevent possible infected user input codes to be ran.

[Bioshox]

Iv seen mysql_real_esape_string being used before, do i put this before each variable?

Any examples?!

Thanks again friend!

[webcodez]

An example would be:

mysql_real_escape_string($variable);

So for example: say you've got a form field named 'username' and submitted using POST form mehtod. Then it would be something like this:

mysql_real_escape_string($_POST['username'])

Or in an example query:

mysql_query("INSERT INTO accounts(username)VALUES('".mysql_real_escape_string($_POST['username'])."') ");

But just an example :)

And again, you're very welcome ^^

[Bioshox]

Thank's alot mate!

You're help is very appreciated with my project! :)

[webcodez]

Welcome - I'm glad I could help =]

Just let me know if there's anything more I can help with! :)

[Bioshox]

Would the following be an example of the above executed correctly?

<?php
	//Defines the function that will allow us to display only one post on click
	
	function get_content(mysql_real_escape_string($id = '')) {
  


	//Gets the ID number from the SQL Database
	if(mysql_real_escape_string($id = ''"):
		$id = mysql_real_escape_string($id);
		$sql = "SELECT * FROM cms where id = '$id'";
		
	else:
		//If we dont specifiy an ID display everything
		$sql = "SELECT * FROM cms ORDER BY id DESC";
	endif;

[webcodez]

I would rather do it like this:

<?php
//Defines the function that will allow us to display only one post on click
	
function get_content($id) {

	//Gets the ID number from the SQL Database if not empty
	if(isset($id) AND !empty($id)) {
               $sql = "SELECT * FROM cms WHERE id = '".mysql_real_escape_string($id)."' ";
		
	}else{
		//If we dont specifiy an ID display everything
		$sql = "SELECT * FROM cms ORDER BY id DESC";
	}

}

As it's important to keep the $id outside the quotes of the query (so '$id' => '".$id."' so rather put mysql_real_escape_string inside that already).

But it could possibly work the way you put it yep :)
The idea is correct ^^

Also notice you just set the SQL query yet, did not execute it so far in that script you supplied.

[Bioshox]

Okay so I added them lines of code, in this following code cxan you see any more secuirty errors that may cause problems?

Also since iv added this extra sting it's been making my posts look funny, example:

Quote

What\'s coming next?
We will be developing the system further, creating user profiles, news sections and other features.\r\n
\r\nIn the coming week\'s you will see updates and changed to the whole system.\r\n
\r\nUnfortunately during that time the system may be down for upgrades, we apologize for any inconvenience caused during these downtimes. \r\n\r\n\r\n\r\n

It's never done that before, how do I reverse it?!

<!-- Copyright Jacob Clark 2010 | Fusion Strike Studios and Network -->

<!-- Fusion Strike; Live! Was Developed In Loving Memory Of Frederick Clark -->

<!-- Please Do Not Remove These Comments -->


<?php 

include "config.php";

?>


<html>

<head>

<title>Fusion Strike; Live!</title>

<link rel="stylesheet" href="style.css" type="text/css" >

</head>

<body>

<img src="images/logo.png">

<br>

<div id="page-wrap"><h6>

<?php

if($_SESSION['name'] == true AND !empty($_SESSION['name'])) {


    echo "Hey, ".$_SESSION['name'];  //welcome user w/ username

	echo " | <a href='index.php'>Home</a> | <a href='logout.php'>Logout</a> | <a href='members.php'>Members</a>";

	

}else{


echo	"<a href='index.php'>Home</a> | <a href='login.php'>Login</a> | <a href='register.php'>Register</a> | <a href='members.php'>Members</a>";



   




   }

?>

</div></h6>


<div id="page-wrap">


	

	<?php

	//Defines the function that will allow us to display only one post on click

	

	function get_content ($id = '') {


	//Gets the ID number from the SQL Database

	if($id !=""):

		$id = (mysql_real_escape_string($id));

		$sql = "SELECT * FROM cms where id = '$id'";

		

	else:

		//If we dont specifiy an ID display everything

		$sql = "SELECT * FROM cms ORDER BY id DESC";

	endif;

	//If there was an error display it

	$res = mysql_query($sql) or die(mysql_error());

	

	//This IF statment decides wether the ID tag you have enterd exists or not, if it does it

	//displays the post, if it doesnt it displays an error message

	

	if(mysql_num_rows($res) != 0):

	

	//How to display the posts

	while($row = mysql_fetch_assoc($res)) {

		//Makes posts titles into links

		echo '<h1><a href="index.php?id=' . mysql_real_escape_string($row['id']) . '">' . mysql_real_escape_string($row['title']) . '</a></h1>';

		echo '<p>' . mysql_real_escape_string($row['body']) . '</p>';

		echo'<br /><h6>Posted By: ' . mysql_real_escape_string($row['name']) . '</h6>';

	}

	else:

		echo '<p>Oh Dear, This Is Embarrassing, It seems we cant find what your looking for!</p>';

	endif;

	

	

	}

	

//Ends Our Class

?>


<?php

//Displays the posts

	if(isset($_GET['id'])):

		get_content($_GET['id']);

		else: 

			get_content();

			endif;

	?>

	<?php

	

	//DISPLAY ADMIN LINK

	//$result = mysql_query("SELECT * FROM regusers WHERE admin='$admin'");


	//if(mysql_result($admin) == yes) {

		//echo "Test";

		//}else{

	//}

		?>


</div>

<br>	

<div id="footer">Powered by Fusion Strike; Live! 1.0 Pre-Alpha | Fusion Strike © 2010<br>

Fusion Strike and Fusion Strike; Live! © Copyright Jacob Clark 2010<br></DIV>

</body>

</html>

[webcodez]

Ah that's right. To output the text without the backshlashes shown, you can use stripslashes for the reversing effect.

So like:

echo htmlspecialchars(stripslashes($variable));

[Bioshox]

So do I use this insted of mysql_real_escape_string??

and this is correct?

	//How to display the posts
	while($row = mysql_fetch_assoc($res)) {
		//Makes posts titles into links
		echo '<h1><a href="index.php?id=' . htmlspecialchars(stripslashes(($row['id']))) . '">' . htmlspecialchars(stripslashes(($row['title']))) . '</a></h1>';
		echo '<p>' . htmlspecialchars(stripslashes(($row['body']))) . '</p>';
		echo'<br /><h6>Posted By: ' . htmlspecialchars(stripslashes(($row['name']))) . '</h6>';
	}
	else:
		echo '<p>Oh Dear, This Is Embarrassing, It seems we cant find what your looking for!</p>';
	endif;
	
	
	}
	
//Ends Our Class
?>

<?php
//Displays the posts
	if(isset($_GET['id'])):
		get_content($_GET['id']);
		else: 
			get_content();
			endif;
	?>

[webcodez]

Yes that's correct :)

For input to database use mysql_real_escape_string and addslashes.
For output to website use htmlspecialchars (and stripslashes if showing backslashes).