• MYSQL injection prevention
    22 replies, posted
I'm sort of new to PHP and mysql and I made a script which saves an email address and name to my database but it doesn't have injection prevention, here's the code: [code] <html> <body> <?php $email=$_POST['email']; $name=$_POST['name']; if($email == ""){ Echo "<center>ERROR!</center>"; Echo "<center>You did not enter your email address.</center>"; Echo "<br>"; Echo '<center><a href="http://www.openinternetnews.com">Back</a></center>'; } else { $con = mysql_connect("localhost","openint1_openin","connect1"); if(!$con){ die('Could not connect: ' . mysql_error()); } mysql_select_db("openint1_news", $con); mysql_query("INSERT INTO news (Email, Name) VALUES ('$email', '$name')"); Echo "<center>All done.</center>"; Echo '<center><a href="http://www.Google.com">Go to Google?</a></center>'; mysql_close($con); } ?> </body> </html> [/code] Also, how could I prevent a user enter the same email address more than once?
Do you know why it happens?
[QUOTE=garry;19041317]Do you know why it happens?[/QUOTE] Because people like to hack databases and extract information from them.
Escape your stuff using mysql_real_escape_string.
[QUOTE=ddrl46;19041419]Escape your stuff using mysql_real_escape_string.[/QUOTE] I used that before and it returns alot of mysql errors because the variables are before the mysql connection.
Move the connection up then... [editline]01:00AM[/editline] Or escape them after the connection. [php] $var = post blah: mysql connection $var = mysql_real_escape_string($var); [/php] Get it?
[QUOTE=ddrl46;19041718]Move the connection up then... [editline]01:00AM[/editline] Or escape them after the connection.[/QUOTE] I did it like this: [code] $email=using mysql_real_escape_string($_POST['email']); [/code] and I get this error: [code] Parse error: syntax error, unexpected T_STRING in /home/openint1/public_html/addemail.php on line 6 [/code]
Also, did you seriously give your password away there in the OP?
[QUOTE=smidge146;19041762]I did it like this: [code] $email=using mysql_real_escape_string($_POST['email']); [/QUOTE] using?
Just wanted to say that :buddy:.
[QUOTE=smidge146;19041385]Because people like to hack databases and extract information from them.[/QUOTE] But do you know how it actually is done?
People enter stuff in the email box that isn't protected, for example DROP blah blah. Will drop the table.
[QUOTE=ddrl46;19041849]Also, did you seriously give your password away there in the OP?[/QUOTE] Yep, oops, changed it now.
like for eg username: ' password: a=a thats the simplest injection you will get, and you actually do sql injects in the address bar. like page.php?id=1 +union+select+1,2,3,4,5,6/* (1-6 is the colums in the db)
Sanitize your database entry's [url]http://net.tutsplus.com/tutorials/php/sanitize-and-validate-data-with-php-filters/[/url] [url]http://php.net/manual/en/filter.filters.sanitize.php[/url]
I recommend using [url=http://php.net/manual/en/book.pdo.php]PDO[/url] and parametrized queries.
[QUOTE=ddrl46;19041954]People enter stuff in the email box that isn't protected, for example DROP blah blah. Will drop the table.[/QUOTE] That's not really an answer :) [url]http://en.wikipedia.org/wiki/SQL_injection[/url] has a decent enough explanation
You guys are dicks, you cant stop it, you can just 'patch' it.
You can stop it by escaping input
Can still find other ways.
This is where [url=http://en.wikipedia.org/wiki/Data_validation]Data Validation[/url] comes in. Anything as simple as a [url=http://www.regular-expressions.info/email.html]Regular Expression[/url] that checks the validity of the email address prior to touching the database, would defeat most of the poorly thought-out malicious input. It's not fool-proof, but a good start.
[QUOTE=Wipmuck;19103708]Can still find other ways.[/QUOTE] Incorrect. Escaping input correctly, which is easy to do, or just using parameterised queries (which does this for you), prevents *all SQL injection attacks*.
Or you can simply use PDO.
Sorry, you need to Log In to post a reply to this thread.