SQL injection example

Question

veledrom 32 Master Poster

15 Years Ago

Hi,

I wonder what is the best way to prevent injection against user input. There are a lot of examples but one say "magic_quotes_gpc" is good but removed from PHP soon. Therefore, no point of using it. Another says "mysql_real_escape_string and addslashes" just used to clean iptuts. Etc etc.

I am confused what to realy use. Can anyone make code below best practice plase.

Thanks in advance

<?php
$uid=$_POST["username"];
$psw=$_POST["password"];

$query="SELECT * FROM mytable WHERE uid='$uid' AND psw=sha1('$psw')";

$runit=mysql_query($query);
?>

php

Edited 11 Years Ago by mike_2000_17 because: Fixed formatting

5 Contributors
4 Replies
163 Views
2 Years Discussion Span
Latest Post 12 Years Ago Latest Post by phplover

ShawnCplus 456 Code Monkey

15 Years Ago

Use PDO/mysqli and prepared statements, that's the easiest way to prevent it. Forget about all the magic_quotes BS. mysql::prepare

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

somedude3488 228 Nearly a Posting Virtuoso · Answer 1 · 2009-07-21T04:32:12+00:00

Pretty much mysql_real_escape_string() is all you need.

jporter892 0 Newbie Poster · Answer 2 · 2012-04-21T03:18:00+00:00

The best way to go is to use prepared statements - you can read why here, there's a good example:

{snipped}

and more about SQL Injection here:

{snipped}

phplover 0 Junior Poster in Training · Answer 3 · 2012-04-21T13:03:58+00:00

Hi,

I agree with others that PDO/Prepared Statements are the way forward.

I only started learning PDO for about two weeks and even thou it can be a little confusing to begin with it's well worth the learning curve, i am now and already using PDO and it makes mysql look ancient in comparison and much cleaner code.

I learnt it by searching Google and i did buy a book which i would highly recommend. It's for Beginners but covers everything you need to know, it takes you through by a building a simple application and as the book goes on further you make alterations to the application. They book is well worth the money if you can afford it and not like many other books that jump to quickly without much explanation. This books explains in good detail and with good examples plus the benefit of learning to build a simple application to get you understanding and learning PDO to it's full advantage. The book is caled Learning PHP Data Objects Heres a link to the Amazon UK site for the book. This book can get you understanding and learning PDO very quickly and is easy to follow along with.

All the Best,
phplover