You are here: Re: Some assistance with MS SQL injection and PHP please « PHP Programming Language « IT news, forums, messages
Re: Some assistance with MS SQL injection and PHP please

Posted by Good Man on 10/25/88 11:37

gene.ellis@gmail.com wrote in news:1137540834.595198.106210
@o13g2000cwo.googlegroups.com:

> Hello everyone,
>
> Put simply we have recently been the victims of a malicious hacker
> because we were not aware of the dangers of SQL injection. Now, I am
> adding addition validation to my forms and also GET variables (we are
> using PHP). Does anyone have any good techniques for the kind of
> validation I should be using to avoid SQL injection? I basically want
> to create a PHP function, fun any form variables through the function,
> and then stop the script from executing if any bad input in found.
> Thanks for all of your help. I don't want us to lose all of our data
> again!
>
> GE

well, there are many ways to clean user input, and more than one should
be used at a time.

the first thing i do to ANY user input variable is addslashes(); which
will turn ' into /' and render ineffective any attempt to insert/delete
records from the database. i'm not sure if this

with any data i am expecting to be numerical, i is_numeric(); it, and
toss the user to an ugly error page if its not numeric

also, i rarely ever use anything the user gives me for direct use in my
database. if i need the user to tell me the name of a
column/database/field they need to use for a particular operation, i use
MY short forms/abbreviations, look for them, and then substitute the
right names. ie: in a url "search.php?value=416&searchtype=phone", my
script would say something like...

if($searchtype=="phone") {
$realquery = "SELECT * FROM TELEPHONES ETC ETC";
}



....instead of putting 'TELEPHONES' directly into the URL itself. by
using my own shorthand/abbreviations for real column names, table types,
or ANYTHING database, I can look out for those variables specifically and
ignore anything that isn't what im looking for. So in your case, mix up
the real form variable names with temporary ones.


I'm sure there are many other tips, but the main theme is: if you can
help it, trust NOTHING you get back from the user.

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация