[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

php code to make it secure

Posted on 2011-04-18
4
Medium Priority
?
327 Views
Last Modified: 2012-06-21
how can i make this code more secure to prevent sql injection
<?php
 
    $db = mysql_connect("localhost","root","$$sshhh...!");
    mysql_select_db("Shipping",$db);
    $id = $HTTP_GET_VARS["id"];
    $qry = "SELECT ccnum FROM cust WHERE id =%$id%";
    $result = mysql_query($qry,$db);
    if ($result) {
        echo mysql_result($result,0,"ccnum");
    } else {
        echo "No result! " . mysql_error();
    }
?>

am try to make validation for id
it is enough or i need to do something else

    $db = mysql_connect("localhost","root","$$sshhh...!");
    mysql_select_db("Shipping",$db);
    $id = $HTTP_GET_VARS["id"];
if (is_int($id)) {
    $qry = "SELECT ccnum FROM cust WHERE id =%$id%";
    $result = mysql_query($qry,$db);
    if ($result) {
        echo mysql_result($result,0,"ccnum");
    } else {
        echo "No result! " . mysql_error();
    }
}
?>
0
Comment
Question by:YUYU
4 Comments
 
LVL 48

Accepted Solution

by:
hernst42 earned 800 total points
ID: 35420062
See http://www.php.net/mysql_real_escape_string
Pass all content from $_GET, $_POST, $_REQUEST, $_COOKIE through mysql_real_escape_string befor using it inside the sql -statement
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 800 total points
ID: 35420275
Is_int will do a good job of preventing anything bad fom happening. When you need to pass strings there are other functions like Stripslashes and htmldecode and many others. Here is a nice little writeup from php.net
http://php.net/manual/en/security.database.sql-injection.php
0
 
LVL 111

Assisted Solution

by:Ray Paseur
Ray Paseur earned 400 total points
ID: 35420779
The simple mantra is "Accept only known good values."  Think you got an email address?  Use filter_var() and test to see if it is routable.  Think you got a postal address?  Try to secure the geocode information from one of the Yahoo or Google mapping tools.  Think you have a ZIP code or a telephone number?  There are good ways to test.  Use all of these tests, then escape the code with mysql_real_escape_string() and you will likely be safe.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question