4 replies to this topic

[dungiis]

How to fix sql injection !
Anyone has that function ! Please suggetion for me
thank guys

[Demonslay]

I swear, people have forgotten how to type and click 'search' nowadays...
http://www.pixel2lif...%20injection/1/

I personally use this function on any information to be placed into a query.

function safe_query($value){
		if(get_magic_quotes_gpc()) $value = stripslashes($value);
		if(!is_numeric($value)) $value = "'".mysql_real_escape_string($value, $this->conn)."'";
		return $value;
	}

Example.

$query = mysql_query("SELECT * FROM `members` WHERE `username` = ".safe_query($_POST['username'])." AND `password` = ".safe_query($_POST['password'])." LIMIT 1") or die(mysql_error());

Real simple stuff.

[Chaos King]

As much as I love your example with your function. Your query isn't the safest =/.

SELECT * FROM users WHERE LOWER(userName) = '".mysql_real_escape_string(strtolower(($_POST['userName']))."' LIMIT 1

After running that query, you then compare the hash with their given password, thats proper user validation. Not criticizing, just making it safer coding community out there.

[Demonslay]

That's not from my actual code, that was just an example I whiped up just then.

Thanks for the suggestion of using LOWER though, I'd completely forgotten about that command.

[Mr. Matt]

I always use to validat my stuff:

function mes($data) {

$data = mysql_real_escape_string(strip_tags(htmlspecialchars($data);
return $data;

}

Its qucik and simple.

Matt