arrow_upward

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
SQL injection
more_vert
Rishabh Jain
Typiing...
Rishabh Jain
Typiing...
forum
Posts:100
chat
Threads:9
calendar_today
Joined:Sep 2015
thumb_up
Reputation: 3
layers
Holder OfNone
attach_money
Credits:P$ 340.74
data_saver_on
Monthly Posts0
all_inclusive
Quality Credits:0
expand_more
#5
06-08-2016, 04:53 AM
(06-07-2016, 10:44 PM)thispc Wrote: Sir, i totally get it...I just want this thread to be precautionary measure, if any one uses php to connect to a database.
And as you say, this basic example which i provided can be avoided through mysql_real_escape_string() function.
But there are other dozens of security vulnerabilities in  sql/php that can be help to everyone for "security enhancements"..
For example even if we use this escape function, Like %% or _ can be used to guess password length or characters inside it, "if used carelessly".

yes i agree there are count less vulnerabilities and the best was to defend known to me is prepare the queries before executing them

using php MySQLi extenssion
PHP Code: (Select All)
$servername "localhost";
$username "username";
$password "password";
$dbname "myDB";

// Create connection
$conn = new mysqli($servername$username$password$dbname);

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " $conn->connect_error);
}

// prepare and bind
$stmt $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)");
$stmt->bind_param("sss"$firstname$lastname$email);

// set parameters and execute
$firstname "John";
$lastname "Doe";
$email "[email protected]";
$stmt->execute();

$firstname "Mary";
$lastname "Moe";
$email "[email protected]";
$stmt->execute();

$firstname "Julie";
$lastname "Dooley";
$email "[email protected]";
$stmt->execute();

echo "New records created successfully";

$stmt->close();
$conn->close();
?>

Using PDO Extension

PHP Code: (Select All)
$servername "localhost";
$username "username";
$password "password";
$dbname "myDBPDO";

try {
    $conn = new PDO("mysql:host=$servername;dbname=$dbname"$username$password);
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODEPDO::ERRMODE_EXCEPTION);

    // prepare sql and bind parameters
    $stmt $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) 
    VALUES (:firstname, :lastname, :email)");
    $stmt->bindParam(':firstname'$firstname);
    $stmt->bindParam(':lastname'$lastname);
    $stmt->bindParam(':email'$email);

    // insert a row
    $firstname "John";
    $lastname "Doe";
    $email "[email protected]";
    $stmt->execute();

    // insert another row
    $firstname "Mary";
    $lastname "Moe";
    $email "[email protected]";
    $stmt->execute();

    // insert another row
    $firstname "Julie";
    $lastname "Dooley";
    $email "[email protected]";
    $stmt->execute();

    echo "New records created successfully";
    }
catch(PDOException $e)
    {
    echo "Error: " $e->getMessage();
    }
$conn null

Examples are from W3Schools


Messages In This Thread
SQL injection - by thispc - 06-03-2016, 09:24 PM
RE: SQL injection - by Rishabh Jain - 06-04-2016, 04:59 PM
RE: SQL injection - by thispc - 06-07-2016, 10:44 PM
RE: SQL injection - by Rishabh Jain - 06-08-2016, 04:53 AM
RE: SQL injection - by thispc - 06-08-2016, 05:50 AM
RE: SQL injection - by Rishabh Jain - 06-08-2016, 08:50 AM
RE: SQL injection - by RickB - 06-06-2016, 08:50 PM
RE: SQL injection - by Vuluts - 10-04-2016, 07:44 PM
RE: SQL injection - by xdude - 10-05-2016, 02:45 AM
RE: SQL injection - by humanpuff69 - 06-05-2017, 02:50 PM
RE: SQL injection - by bookertie - 08-04-2017, 02:06 PM
RE: SQL injection - by Vuluts - 08-04-2017, 02:15 PM
RE: SQL injection - by humanpuff69 - 08-05-2017, 09:23 AM
RE: SQL injection - by Honey - 10-30-2017, 07:21 AM

person_pin_circle Users browsing this thread: 1 Guest(s)
Sponsors: VirMach - Host4Fun - CubeData - Evolution-Host - HostDare - Hyper Expert - Shadow Hosting - Bladenode - Hostlease - RackNerd - ReadyDedis - Limitless Hosting