[PHP] sql injection

Thu, 29 May 2008 12:13:59 -0700 

i have implemented a way to avoid sql injection from the php website from
this url
http://in.php.net/mysql_real_escape_string  from the "Example #3 A "Best
Practice" query" section of this page

following are the steps i have followed after the form values are submitted
to a php file.

step 1.

if(get_magic_quotes_gpc())
{
$username = stripslashes($_POST["username"]);
.........
}

else
{
$username = $_POST["username"];
.........
}

step 2.

$conn = mysql_connect($hostname, $user, $password);

step 3.

$insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s',
...)", mysql_real_escape_string($username, $conn), ...);

step 4.

 if(!$conn)
 {
header("Location: http://website/dberror.html";);
exit;
 }

 else
 {
mysql_select_db($database, $conn);

$insertqueryresult = mysql_query($insertquery);


 if(!$insertqueryresult) {
 header("Location: http://website/error.html";);
 exit;                  }

 }

with the above method i am able to insert values into the table even with if
i enter the ' special character which can cause problems.

i have also used a simple sql insert query like

$insertquery = "INSERT INTO table(username, ...) VALUES ('$username', ...)";

when i used this simple insert query and if i entered ' in the form and
submitted the form the php file is unable to process the information entered
because of the ' character and as per the code error.html file is being
displayed where as if i use

$insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s',
...)", mysql_real_escape_string($username, $conn), ...);

even if i enter any number of ' characters in more than 1 form field data is
being inserted into the table

a)
so i am thinking that the steps i have taken from the php site is correct
and the right way to avoid sql injection though there are several ways to
avoid sql injection.

b)
for example if i enter data in the form as = abc'''def for name, the data in
the table for the name field is being written as abc'''def

based on how i have written the steps to avoid sql injection is this the
right way for the data to be stored with ' characters along with the data
example as i mentioned = abc'''def

please answer the questions a) and b) if there is something else i need to
do please suggest what needs to be done exactly and at which step.

any help will be greatly appreciated.

thanks.

Reply via email to