Best Way To Stop Sql Injections

Best Way To Stop Sql Injections

Open Discussion

Free Web Hosting, No Ads Portal

Free Web Hosting

Welcome Guest ( Log In | Register)

Open Discussion > CONTRIBUTE > Computers > Programming Languages > PHP Programming

2 Pages

1 2 >

Reply to this topic

Start new topic

Best Way To Stop Sql Injections, sql injection

Daehawk View Member Profile Find Member's Posts	Jun 12 2005, 07:45 PM Post #1
Newbie [Level 3] Group: Members Posts: 43 Joined: 9-June 05 From: TN, USA Member No.: 8,033	I was wondering on tips on the best way to set up your php site if you had a game to make it where sql injection didn't work on your game. (list)

SystemWisdom View Member Profile Find Member's Posts	Jun 13 2005, 03:31 PM Post #2
Advanced Member Group: Members Posts: 117 Joined: 3-May 05 From: A Canadian South of the 49th Parallel Member No.: 6,544	SQL Injection occurs via an input form (like a login), where the form accepts special characters (like !@#$%^ etc..). One of the easiest/best ways to prevent such a compromise is to disallow any special characters and force users to only use alphanumeric values when supplying input via a web-form (abc...123...). Even spaces should be considered invalid, since SQL injection involves the use of an SQL statement containing spaces to seperate keywords (select * from [table]). Also, you should use a URL Decoding method before validating the input, that way a %20 would get converted to a space, and filtered out (as well as any other invalid encoded characters). Doing that should thwart about 95% (if not 100%) of any SQL Injection techniques... (list)

FaLgoR View Member Profile Find Member's Posts	Jun 13 2005, 05:11 PM Post #3
Super Member Group: Members Posts: 217 Joined: 2-January 05 Member No.: 3,084	Create some function that strips the bad chars from the $vars, like \|'"@!& you know. Or use some function that already exists, stripslashes for example. But do NEVER let $vars which will be in sql functions without any kind of "preparation" or it will be easy to maniulate the database. Be careful. (list)

karlo View Member Profile Find Member's Posts	Jun 17 2005, 07:51 AM Post #4
Privileged Member Group: Members Posts: 618 Joined: 30-October 04 From: Philippines Member No.: 2,049	QUOTE(FaLgoR @ Jun 14 2005, 01:11 AM) Create some function that strips the bad chars from the $vars, like \|'"@!& you know. Or use some function that already exists, stripslashes for example. But do NEVER let $vars which will be in sql functions without any kind of "preparation" or it will be easy to maniulate the database. Be careful. is there a function in php which will let only accept alphabet letters and numbers?. (list)

beeseven View Member Profile Find Member's Posts	Jun 17 2005, 06:55 PM Post #5
Privileged Member Group: Members Posts: 629 Joined: 26-February 05 Member No.: 3,995	What I do is create an array of characters that I allow (Letters, numbers, spaces and/or underscores). Then I replace all those with "", and if there's still stuff in the string (if($str != "")) then I kill the script and prompt for a new string. (list)

serverph View Member Profile Find Member's Posts	Jun 17 2005, 08:22 PM Post #6
Ancient Enigma Group: [MODERATOR] Posts: 1,787 Joined: 11-July 04 From: under the stars Member No.: 76	might be helpful: http://www.unixwiz.net/techtips/sql-injection.html (list)

SystemWisdom View Member Profile Find Member's Posts	Jun 17 2005, 08:49 PM Post #7
Advanced Member Group: Members Posts: 117 Joined: 3-May 05 From: A Canadian South of the 49th Parallel Member No.: 6,544	PHP to allow only letters/numbers: CODE function isAlphaNumeric( $szInput ) { return (bool) preg_match( '/^[a-zA-Z0-9]$/', $szInput ); } // usage: if( isAlphaNumeric( 'mystring123' ) ) { // valid }else { // invalid } I hope that helps! (list)

beeseven View Member Profile Find Member's Posts	Jun 18 2005, 02:35 AM Post #8
Privileged Member Group: Members Posts: 629 Joined: 26-February 05 Member No.: 3,995	I don't think that there's a premade function, but you can write one, it's not that hard considering there's a function that checks if something is alphanumeric. CODE function is_alphanum($str) { if(ctype_alnum($str)) { return true; } else { return false; } } Then you just do something like CODE if(is_alphanum($text)) { echo "Alphanumeric"; } else { echo "Not alphanumeric"; } Or you could just skip the function step, but whatever. I apologize if there's something wrong with this post, I have to connect to Trap non-graphically through my school because I can't load it on my home connection. (list)

Daehawk View Member Profile Find Member's Posts	Jun 18 2005, 07:14 AM Post #9
Newbie [Level 3] Group: Members Posts: 43 Joined: 9-June 05 From: TN, USA Member No.: 8,033	Thanks for all the posts. This will help me alot with things. Yeah I had wondred where this post went after I posted it cause I couldn't find it then...boom there it is. Yay. I'm gonna save everything all of you posted to a word pad document to get to faster without having to log into here when I am off working on coding my game. (list)