Hi All,

I'm building a new site -- where people can save code to my database, but after my sites got hacked last week -- i'm really starting to see how important it is to protect against sql injections. :xbones:

So,

Right now i'm using this...

$value = $_get['val']; // e.g. A MYSQL QUERY BEING SAVED TO THE DB LIKE SELECT * FROM TABLE

if ( get_magic_quotes_gpc() ){
	$value = stripslashes( $value );
}
$value = "'" . mysql_real_escape_string( $value ) . "'";

// Its passed -- insert into DB...

But i've just read that mysql_real_escape_string doesnt help with the ` character. (This vBulletin forum let me save it to their DB - so i'm gussing there is ways of securing against it)

As i am saving code to my DB, i also need everything to stay "intact" or how it is entered.

Any help in this would be amazing!!!

Also, on a quick note, i've been using this (which i now know is stupid!)

$getthis = $_GET['val'];

include($getthis . '.php');

I never even thought about hackers entering somthing with "?=" at the end to hack my sites 🙁 I'm such a newbie!!!

Cheers again for the help 🙂

    itsallgood wrote:

    But i've just read that mysql_real_escape_string doesnt help with the ` character.

    That is not a problem since you would be using mysql_real_escape_string with string input, so the single quotes used to delimit the string in the SQL statement would render backticks (and the standard double quotes) harmless.

    With numeric input instead, you would cast (or otherwise format) the input to the desired type.

    Incidentally, I suggest that you use the PDO extension or MySQLi extension instead of the MySQL extension, particularly due to their support for prepared statements.

      Thanks for your reply laserlight -- i've looked at the PDO link you posted, but i've no idea what it is 🙁

      Also, im on a shared host - so i think i can only use MySQL and no other database.

      Does my code look like it would protect me from injections then? Could you offer advice on securing my bad "include" php code...???

      Many thanks for your reply.

        itsallgood wrote:

        i've looked at the PDO link you posted, but i've no idea what it is

        Read further 😉

        itsallgood wrote:

        Also, im on a shared host - so i think i can only use MySQL and no other database.

        Check if your shared host provides PDO support for MySQL.

        itsallgood wrote:

        Does my code look like it would protect me from injections then?

        Probably.

        itsallgood wrote:

        Could you offer advice on securing my bad "include" php code...?

        One way is to check if the incoming input matches some known input (e.g., from an array of allowed values), and only use it if it does.

          Write a Reply...