Results 1 to 3 of 3
Thread: Check if SQL-Injection safe
Oct 21, 2009, 00:24 #1
- Join Date
- Oct 2007
- 0 Post(s)
- 0 Thread(s)
Check if SQL-Injection safe
How can I check if my login form is safe from SQL injection attack? What should I input with my input boxes (username and password) to check it and what output to expect if it is NOT safe. Thanks
Oct 21, 2009, 00:40 #2
You can't make a form that is safe from SQL injection. What you must do is check the form values that arrive at the receiving script before using them in a query, to prevent SQL injection.
In general, you should pass user input through the mysql_real_escape_string() function.
But if you know a value should be numeric, you can check directly for that. If a value should be one of a given set, you can check that. If you pass the value through the md5() function (the password for example), then that takes care of any possible SQL injection.Guido - Community Team Leader
The 2013 SitePoint Awards - Nominate your heroes now!
Thinking Web: Voices of the Community
Blog - Free Flash Slideshow Widget
Oct 21, 2009, 01:04 #3
- Join Date
- Sep 2005
- Sydney, NSW, Australia
- 19 Post(s)
- 1 Thread(s)
Your first line of defence is always validation. If you validate all your fields and reject any where the content isn't valid input for the field then you reduce your chances of injection to just those fields where the injection code iis also valid input. For those fields there is mysql_real_escape_string() to escape all the necessary characters. it doesn't hurt to build multiple layers of protection just in case someone figures a way to bypass one layer.