SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Addict
    Join Date
    Jul 2009
    Posts
    221
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Prevent SQL Injection by escaping?

    I seem to remember I'd read somewhere that we should escape all user input to prevent SQL injections. I did a test, but found no difference to it.

    The query
    PHP Code:
    $query ="SELECT * FROM login WHERE username = '$username' AND password = '$password'" 
    ;

    Top portion shows the unescaped results. Bottom the escaped results. Both queries returned results.


    Any example to show what good can mysql_real_escape_string do?

  2. #2
    SitePoint Evangelist
    Join Date
    Aug 2005
    Location
    Winnipeg
    Posts
    498
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The only constant in software is change itself

  3. #3
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    1' or '1' = '1

  4. #4
    SitePoint Addict
    Join Date
    Jul 2009
    Posts
    221
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    strange...i paste the escaped query into query browser, and no rows are fetched. however, in php it is still able to retrieve all the records.

  5. #5
    SitePoint Wizard gRoberts's Avatar
    Join Date
    Oct 2004
    Location
    Birtley, UK
    Posts
    2,439
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I decided to use mysqli's prepared statements. As far as I am aware, its fairly hard to inject them?

    i.e. select * from Login where Username = ? and Password = ?

    http://php.net/manual/en/mysqli.prepare.php



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •