开发者

How do i make this query sql injection proof?

How can i make this query sql injection proof?

$sql=mysql_query("SELECT * FROM updates ORDER BY item_id DESC LIMIT 16");
while($row=mysql_fetch_array($sql))
{
$msg_id=$row['item_id'];
$message=$row['item_content'];
}

Or can someone show me some examples, or send me a link to a tutorial I'm very new to this and if anyon开发者_StackOverflow中文版e could help me it would be great! :)


That query is already "SQL injection proof".

SQL injection attacks happen when you take an external string, and concatenate it into your query without using bind variables, escaping or proper sanitization.

For example, if your query looked like this:

$sql=mysql_query("SELECT * FROM updates where order_ref = '$order_ref' ORDER BY item_id DESC LIMIT 16");

Then you would have an issue if the variable $order_ref could be influenced by the environment (an HTTP query parameter, command line argument, basically anything that can be influenced by the user). If someone could pass a value into your application like "'; delete from updates;" then you would have a problem.

One solution in my above example would be to first escape the values in $order_ref like this:

$safe_order_ref = mysql_real_escape_string($order_ref);
$sql=mysql_query("SELECT * FROM updates where order_ref = '$safe_order_ref' ORDER BY item_id DESC LIMIT 16");


It already is since you aren't using any user input to construct it.


It is injection-proof. Injection happens when you construct your SQL from several strings, of which some come from the user, in the $_GET, or $_POST, or $_COOKIE collection. Yours is static - there's no place to inject.


My man. You are just pulling data from your database. SQL injection happens when a user is providing input by a form or GET variable (GET not recommended) that you will use in the query itself.

Lets say you have a form that posts the name of someone.

Your SQL would look like:

$query='SELECT * FROM people WHERE name='.$_POST['name'];

You would need to clean the data posted by the user with mysql_real_escape_string() or some other SQL cleaning function.

Another thing: nothing is SQL injection proof. There always seems to be a funny little way to exploit. What you want to do is make it so time consuming people give up.

Keep on keeping on brother.


SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.

For more detail see HERE. After reading this you should know why everybody say, your query is already SQL injection proof.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜