Link to home
Start Free TrialLog in
Avatar of gingera
gingera

asked on

How to protect my form against MySQL injection and other attacks?

SECURITY PHP MYSQL

Hello,

I am a newbie. I have just coded a very simple query form that retrieves data from a MySQL database.

I have heard about dangers of not coding forms properly resulting in security breaches.

Could you please advise what I must change in my codes to protect the form from MySQL injection and other possible attacks?

Thanks in advance.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Filename: search.html
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
 
 
<form name="form" action="obtain_company_name.php" method="get">
 
<b>COMPANY REGISTRATION NO.:</b>  
 
<input type="text" name="q" /> &nbsp; <input type="submit" name="Submit" value="Search" />
 
</form>
 
 
 
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Filename: obtain_company_name.php
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
 
 
<?php
 
$var = @$_GET['q'] ;
$trimmed = trim($var); //trim whitespace from the stored variable
 
 
mysql_connect("localhost","username","password"); 
 
mysql_select_db("company_database") or die("Unable to select database"); 
 
 
$query = "SELECT * FROM company_records WHERE co_reg LIKE \"%$trimmed%\" "; 
 
$result = mysql_query($query) or die("Couldn't execute query");
 
 
while ($row= mysql_fetch_array($result))
		{
			extract($row);
 
			echo "$co_reg $co_name;"
 
		}
 
?>

Open in new window

SOLUTION
Avatar of hielo
hielo
Flag of Wallis and Futuna image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of gingera
gingera

ASKER

Fantastic response everyone!

I will definitely read the quoted references, at a later stage, when I get a chance.

In the meantime, thank you so much ehabafia and Frosty555 for suggesting specific improvements to my codes above. That is what I am looking for.

I will try the 2 suggestions and let you know if I bump into any problems.

QUESTIONS:
(1) Apart from the 2 suggestions, are there anything else specifically I need to do with my codes to improve security?

(2) Also, do you guys know of any good applications or scripts that test vulnerability on a specific webpage? After implementing all your suggestions, I would like to be able to test out the specific webpages for potential vulnerability.

Thanks a million again!
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of gingera

ASKER

Frosty555,

I have a question regarding your suggestion of htmlspecialchars().


If I have:

echo "<b> $co_reg </b> - <font color=red> $co_name </font>";

Is this what I should do?

echo "<b> ". htmlspecialchars($co_reg) ." </b> - <font color=red> ". htmlspecialchars($co_name) ." </font>";

Or could I?

$output = "<b> $co_reg </b> - <font color=red> $co_name </font>";

echo htmlspecialchars($output);



Avatar of gingera

ASKER

routinet, what is mres()? Could you expand on it?

I googled mres() and found "Meals Ready to Eat" ?!?
Avatar of gingera

ASKER

- - - - - - - - - - - - - - -
stripslashes()
- - - - - - - - - - - - - - -

While reading some of the references quoted above, I see people referring to stripslashes()

How do I use stripslashes() in my example above?

Thanks.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of gingera

ASKER

Only one outstanding question left... before I close this question thread and award points.


Regarding htmlspecialchars()....


If I have:

echo "<b> $co_reg </b> - <font color=red> $co_name </font>";

Is this what I should do?

echo "<b> ". htmlspecialchars($co_reg) ." </b> - <font color=red> ". htmlspecialchars($co_name) ." </font>";

Or could I?

$output = "<b> $co_reg </b> - <font color=red> $co_name </font>";

echo htmlspecialchars($output);


SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of gingera

ASKER

Thank you for your inputs!

Specific suggestion to my codes was what I was looking for.

Reference to links is very helpful, but does not really answer my question directly.

So most of the points are awarded to ehabafia and Frosty555 for providing specific suggestions, and "thank-you points" are awarded for relevant commentary and reference links.

Thank you once again! I have learnt a lot from you!
From your grading comments:

>>> Reference to links is very helpful, but does not really answer my question directly.

I beg to differ.  The links I provided not only answer your questions directly, but I consider them to be the PRIMARY source of this information.  When in doubt, RTFM...it tends to save a lot of hassle in the long run.

Good luck!