Hi everyone,
Can anyone tell me the security issues when passing url parameters for a forum. I'm building my own forums using dreamweaver and as I understand it, using url parameters make the site susceptible to sql injection.
Regards
Taffd
Taffd 1 Junior Poster
hacker9801 49 Junior Poster
For an SQL query, use something like
$var = mysql_real_escape_string(htmlspecialchars($_GET['param']));
mysql_query($var);I dunno, that's what I use. Let a real expert tell you. :P
nav33n 472 Purple hazed! Team Colleague Featured Poster
lol.. hacker9801 is right.. htmlspecialchars will convert html characters like >, <, & to > < and so on.. and mysql_real_escape_string will escape all the special characters in user's input, like, /, ', " etc..
TopDogger 5 Junior Poster in Training
That's a good routine to use if your server is set up to use it properly.
mysql_real_escape_string will not work unless you are using at least PHP 4.3.0. Also, if magic quotes is turned on, you can get double backslashes.
As an alternative, you can try the following or modify it as necessary.
The function on that page is commonly used for preventing SQL injection issues.
htmlspecialchars is also good for preventing cross-site scripting.
Taffd 1 Junior Poster
Thanks y'all, particularly to TopDogger, for the link. Maybe I should have been a little more specific.
I'm particularly interested in whether dreamweaver written code already takes these issues into account.
In light of your answers so far, I will revisit the code and try to work it out.
Regards
Taffd
nav33n 472 Purple hazed! Team Colleague Featured Poster
I'm particularly interested in whether dreamweaver written code already takes these issues into account.
Nope.
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.