May
sql injection
http://in.php.net/mysql_real_escape_string from the "Example #3 A "Best Practice" query" section of this page
following are the steps i have followed after the form values are submitted to a php file.
step 1.
if(get_magic_quotes_gpc())
{
$username = stripslashes($_POST["username"]);
………
}
else
{
$username = $_POST["username"];
………
}
step 2.
$conn = mysql_connect($hostname, $user, $password);
step 3.
$insertquery = sprintf("INSERT INTO table (`username`, …) VALUES (’%s’, …)", mysql_real_escape_string($username, $conn),
…);
step 4.
if(!$conn)
{
header("Location: http://website/dberror.html");
exit;
}
else
{
mysql_select_db($database, $conn);
$insertqueryresult = mysql_query($insertquery);
if(!$insertqueryresult) {
header("Location: http://website/error.html");
exit; }
}
with the above method i am able to insert values into the table even with if i enter the ‘ special character which can cause
problems.
i have also used a simple sql insert query like
$insertquery = "INSERT INTO table(username, …) VALUES (’$username’, …)";
when i used this simple insert query and if i entered ‘ in the form and submitted the form the php file is unable to process
the information entered because of the ‘ character and as per the code error.html file is being displayed where as if i use
$insertquery = sprintf("INSERT INTO table (`username`, …) VALUES (’%s’, …)", mysql_real_escape_string($username, $conn),
…);
even if i enter any number of ‘ characters in more than 1 form field data is being inserted into the table
a)
so i am thinking that the steps i have taken from the php site is correct and the right way to avoid sql injection though
there are several ways to avoid sql injection.
b)
for example if i enter data in the form as = abc”’def for name, the data in the table for the name field is being written as
abc”’def
based on how i have written the steps to avoid sql injection is this the right way for the data to be stored with ‘
characters along with the data example as i mentioned = abc”’def
please answer the questions a) and b) if there is something else i need to do please suggest what needs to be done exactly
and at which step.
any help will be greatly appreciated.
thanks.
Relevant Links