SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Member
    Join Date
    Oct 2007
    0 Post(s)
    0 Thread(s)

    Check if SQL-Injection safe

    How can I check if my login form is safe from SQL injection attack? What should I input with my input boxes (username and password) to check it and what output to expect if it is NOT safe. Thanks

  2. #2
    From Italy with love silver trophybronze trophy
    guido2004's Avatar
    Join Date
    Sep 2004
    163 Post(s)
    4 Thread(s)
    You can't make a form that is safe from SQL injection. What you must do is check the form values that arrive at the receiving script before using them in a query, to prevent SQL injection.
    In general, you should pass user input through the mysql_real_escape_string() function.
    But if you know a value should be numeric, you can check directly for that. If a value should be one of a given set, you can check that. If you pass the value through the md5() function (the password for example), then that takes care of any possible SQL injection.

  3. #3
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Sydney, NSW, Australia
    25 Post(s)
    1 Thread(s)
    Your first line of defence is always validation. If you validate all your fields and reject any where the content isn't valid input for the field then you reduce your chances of injection to just those fields where the injection code iis also valid input. For those fields there is mysql_real_escape_string() to escape all the necessary characters. it doesn't hurt to build multiple layers of protection just in case someone figures a way to bypass one layer.
    Stephen J Chapman, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts