Comments on: Protecting MySQL from SQL Injection Attacks with PHP. http://simon.net.nz/articles/protecting-mysql-sql-injection-attacks-using-php/ Simon J. Greenhill's Website Wed, 27 Jan 2010 10:46:11 +0000 http://wordpress.org/?v=abc hourly 1 By: Simon http://simon.net.nz/articles/protecting-mysql-sql-injection-attacks-using-php/comment-page-1/#comment-3667 Simon Sun, 22 Feb 2009 19:57:59 +0000 http://simon.net.nz/php/protecting_mysql_from_sql_injection_attacks_in_php/#comment-3667 Eberhard - yeah, this article is really old now! There are many better ways of doing things, like PDO. --Simon Eberhard – yeah, this article is really old now! There are many better ways of doing things, like PDO.

–Simon

]]> By: Eberhard Doerr http://simon.net.nz/articles/protecting-mysql-sql-injection-attacks-using-php/comment-page-1/#comment-3666 Eberhard Doerr Fri, 20 Feb 2009 15:47:16 +0000 http://simon.net.nz/php/protecting_mysql_from_sql_injection_attacks_in_php/#comment-3666 In PHP5 the PDO library is recommended for DB access. It contains a quote() method: "PDO::quote() places quotes around the input string (if required) and escapes special characters within the input string, using a quoting style appropriate to the underlying driver." http://de2.php.net/manual/en/pdo.quote.php So this makes your code independent of the specific database, like when you want to switch from MySQL to PostgreSQL (which would be wise IMO ;-) There is also a PDO::prepare() method that might be considered in this context. In PHP5 the PDO library is recommended for DB access.
It contains a quote() method:
“PDO::quote() places quotes around the input string (if required) and escapes special characters within the input string, using a quoting style appropriate to the underlying driver.”
http://de2.php.net/manual/en/pdo.quote.php

So this makes your code independent of the specific database, like when you want to switch from MySQL to PostgreSQL (which would be wise IMO ;-)

There is also a PDO::prepare() method that might be considered in this context.

]]> By: jalone http://simon.net.nz/articles/protecting-mysql-sql-injection-attacks-using-php/comment-page-1/#comment-3664 jalone Mon, 01 Dec 2008 00:28:26 +0000 http://simon.net.nz/php/protecting_mysql_from_sql_injection_attacks_in_php/#comment-3664 Thanks!at last i understand evrything well! there's so much confusion about this argumentù Lorenzo Thanks!at last i understand evrything well! there’s so much confusion about this argumentù
Lorenzo

]]> By: Simon http://simon.net.nz/articles/protecting-mysql-sql-injection-attacks-using-php/comment-page-1/#comment-3167 Simon Sat, 25 Aug 2007 01:51:01 +0000 http://simon.net.nz/php/protecting_mysql_from_sql_injection_attacks_in_php/#comment-3167 Thanks Tux, I agree with you there (which is why I have that <i>clean_int</i> function described above - I also have an uncomfortable feeling about relying on <i>quote_smart</i> to do the quoting of string fields for me). The programmer MUST know what the value is before s/he sends it off to the database, and what s/he's trying to store. As a programmer, it's a really good idea to think <em>very</em> carefully about what data you are likely to get entered, and what you'll do if it's <strong>not</strong> alright, and most importantly, how can you deal with this situation gracefully. --Simon Thanks Tux,

I agree with you there (which is why I have that clean_int function described above – I also have an uncomfortable feeling about relying on quote_smart to do the quoting of string fields for me).

The programmer MUST know what the value is before s/he sends it off to the database, and what s/he’s trying to store. As a programmer, it’s a really good idea to think very carefully about what data you are likely to get entered, and what you’ll do if it’s not alright, and most importantly, how can you deal with this situation gracefully.

–Simon

]]> By: TuxLives http://simon.net.nz/articles/protecting-mysql-sql-injection-attacks-using-php/comment-page-1/#comment-3163 TuxLives Fri, 24 Aug 2007 15:10:53 +0000 http://simon.net.nz/php/protecting_mysql_from_sql_injection_attacks_in_php/#comment-3163 My only issue lies here: quote_smart($value); The programmer should know what kind of data (and key) is expected so there really is no reason to throw in another evaluation into the mix (IE: "guessing about the data"). I would instead have one to clean strings (clean_string( $value, $DB );) and a second one that handles integer based data. Use them when and where you need them. Programmers should be careful and precise. But, we need more articles that are thorough in the examples, well done. My only issue lies here: quote_smart($value); The programmer should know what kind of data (and key) is expected so there really is no reason to throw in another evaluation into the mix (IE: “guessing about the data”).

I would instead have one to clean strings (clean_string( $value, $DB );) and a second one that handles integer based data. Use them when and where you need them.

Programmers should be careful and precise.

But, we need more articles that are thorough in the examples, well done.

]]>