abou Sql Injection?????

Love_me

Hi,

Can anyone tell me correct this in order to avoid Sql injections :

<?
	require_once("config.php");

function db_connect()
{
	mysql_connect(DATABASE_SERVER,DATABASE_USER,DATABASE_PASSWORD)
		or die("Connection error: ".mysql_error());
	mysql_select_db(DATABASE_NAME)
		or die("Database not found: ".mysql_error());
	return 0;
}
function db_close()
{
	mysql_close();
}
function db_query($query)
{
	$result = mysql_query($query) or die("<h4>error</h4> <b><font color=\"red\">".mysql_error()."</b><br><strong>[sql error here]</strong><font>");
	return $result;
}
function db_getrows($resource)
{
	$data = array();
	if (mysql_num_rows($resource) != 0)
	{
		while ($row = mysql_fetch_assoc($resource))
			$data[] = $row;
		return $data;
	}
	else
		return array();
}
?>

Weedpacket

It's impossible to say, because we don't know what is going to be passed to db_query().

What can be said is that it weakens security. You do not display to the world error messages that give details about the inner workings of your site. It's why the recommended display_errors setting in php.ini for production sites is "off". That goes for mysql_error() as well as PHP's errors.

Without the die() statements it has no impact on security one way or the other. With the die() statements it becomes an attack debugger.

Love_me

Thanks for your quick reply

So,

Do you Know a script that you recommend that works as fire wall from sql injection so that i can apply it

to my index.php

please , say yes

🙂

Weedpacket

Use the [man]PDO[/man] extension; or at the very least escape any user-supplied strings before putting them into the query.