Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 564
  • Last Modified:

make query safe

mysql_query("insert into table1(column1) values ('')");

I am getting values from php query string


what code do I need to add  to make query safe so no injection
0
rgb192
Asked:
rgb192
4 Solutions
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Every field value you enter into the query string should be escaped upon building the insert statement. At the very least, use mysql_real_escape_string, though PHP manuals recommend to use either mysqli or PDO extensions. Also, watch out for the default character set (see above manual entries for instructions).
0
 
gr8gonzoConsultantCommented:
Data sanitation itself is cleaning up the values at the very beginning.

Make sure that any fields that should be numeric will stay numeric:

$someIDField = $_GET["someID"]; // Get the value from the query string
$someIDField = $someIDField + 0; // Adding 0 is a quick way to force PHP to convert it to a pure number (to perform the math) without changing the original value. So any non-numeric digits will be thrown out.

Determine whether or not you need the ; and " and ' characters in your string values. If not, remove them:

$strnigValue = $_GET["someString"];
$stringValue = str_replace(array(";","'",'"'),"",$stringValue);

Try your best to make sure that field values match up to what you expect them to contain. Most numeric fields shouldn't contain anything but digits and a single decimal points. If you're dealing with accounting, then you might want to include the dash or the ( ) characters, too.

Data sanitation (whenever possible) should always be your first step. Your next step should be to use mysql_real_escape_string like Garry-G suggested:

mysql_query("INSERT INTO table (stringColumn) VALUES ('".mysql_real_escape_string($stringValue)."')");
0
 
jrm213jrm213Commented:
Hi,

PDO is nice, it is what I use by default for my database access, but if you are stuck using mysql or mysqli to accomplish your goal (not all hosts install PDO) then you should be using this function

mysqli_real_escape_string
or
mysql_real_escape_string

depending on the library you are using.

you should note that while similar the implementation of procedural style of mysql_real_escape_string and mysqli_real_escape_string are different, though I believe the suggested method is the object oriented method.

see:
http://php.net/manual/en/mysqli.real-escape-string.php
and
http://us.php.net/manual/en/function.mysql-real-escape-string.php

Note also the note in the mysql_real_escape_string function, you should be using mysqli not mysql. The problem is a lot of code is out there for people to cut and paste that is using the old mysql library and it is causing a lot of people to write non secure code. There are even best practices articles out there showing some things that are no longer even suggested practices... so be careful.

In my opinion prepared statements are your best bet. Even using PDO or MySQLI you can still execute badly formed queries that could include injections or buffer overflows.
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

But as noted in posts above, sanitize your data first, make sure what you are pulling from the url makes sense (is in the form you expect), then make sure that you are also using a safe method for storing that data in the database.
0
 
rgb192Author Commented:
thanks
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now