qondio.com/RMh4 PRINT EMAIL
Securing mysql queries in php Nearly all websites on the web today use a database backend to store information, this is because database are fast, secure and cold loads and loads of information. One of the most common database types used is MySql, and to access this database on the web we need to use a language such as PHP. PHP and MYSQL work quite seamlessly together allowing web developers to produce fast, content rich websites incredibly quickly. The only problem arises when the script that reads the database does not validate user input properly. E.g. a page that loads a news item depending on the id of the page, "news.php?id=1" where ID would refer to the id of the article in the database. The sql query would probably read something like this: $query = "SELECT * FROM `articles` WHERE `article_id` = $_GET['id']"; If this script was used in the real world(and they often are) then a hacker could escape out the query and construct their own, and run any query they want on this database, which could steal peoples passwords, change articles, post porn all over the place. Whatever this malicious hacker might wish to do to the website. This can usually be solved easily, by filtering the input we can prevent any malicious query's being run. The easiest way to do this is to use phps' mysql_real_escape_string function. By passing all our variables through this we can add another line of defense against hackers. Eg, the above script would be filtered like this: $secureid = mysql_real_escape_string($_GET['id']; $query = "SELECT * FROM `articles` WHERE `article_id` = '$secureid'; Hope this helps some people! Stay secure

Contributed by welshywoo on August 22, 2008, at 12:08 PM UTC.

Reactions

No reactions yet.

Rate This Intel

Please login or sign up to rate this intel.

Comments

Please login or sign up to add a comment.

Share

Copyright Notice

The copyright for this content entitled "Securing mysql queries in php" has been specified by the contributor as:

All Rights Reserved

This content may not be copied, distributed or adapted by anyone under any circumstances.

Login Here with Any Email Address Any Password Remember login No account? Sign up.

Intel Contributor

This intel was contributed by welshywoo

Qondio Archive

May, 2012 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 2008 January, February, March, April, May, June, July, August, September, October, November, December 2009 January, February, March, April, May, June, July, August, September, October, November, December 2010 January, February, March, April, May, June, July, August, September, October, November, December 2011 January, February, March, April, May, June, July, August, September, October, November, December 2012 January, February, March, April, May

Sign Up

Not a member yet? Qondio is a powerful network for making it online. If you have a website to promote, we can help. Sign up and get in on the action.

About Qondio

Welcome to Qondio! Discover the awesome power this network can deliver by going to our About page. Or you could skip straight to the Sign Up form.