Hello There, Guest! Login Register
Logo
Dismiss this notice
MaDLeeTs is not responsible for any attacks that are carried out on networks, websites or servers.
MaDLeeTs staff members cannot be held responsible.
All information on this forum is for educational purposes only.


SQL Injection Prevention !!

  • 1 Vote(s) - 5 Average


09-19-2014, 05:10 PM #1
jibon57 Offline TeaM MaDLeeTs ***
TeaM MaDLeeTs
Posts:19 Threads:4 Joined:Aug 2014 Reputation: 0
Mood: None
Hello community,

In this community too many expart programmer are giving suggestion for doing SQL Injection also helping to prevent that. What will be best way to prevent SQL Injection? I am using this kinds of tricks:

PHP Code:
$mysqli = new mysqli("HOST""USER""PASS""DB");
$id mysqli_real_escape_string($mysqli$_GET['id']);
$query $mysqli->prepare("SELECT * FROM `TABLE` WHERE `id`= ?");
$query->bind_param('i',$id); // I think the value of $id is Integer.
$query->execute();
$result $query->get_result();
if(
$result) {
   
$row $result->fetch_assoc();


Please experts give your suggestion Smiley1. Am I fully secure with those code? Thanks in advance.

09-20-2014, 12:35 AM #2
T3N38R15 Offline ? lawless-coder *****
Moderators
Posts:812 Threads:48 Joined:Jan 2014 Reputation: 126
Mood: Fine
jep this is secure wink
but full security is not exist wink

[Image: xodhvlpa.jpg]
[Image: test.php]

09-20-2014, 01:04 AM #3
jibon57 Offline TeaM MaDLeeTs ***
TeaM MaDLeeTs
Posts:19 Threads:4 Joined:Aug 2014 Reputation: 0
Mood: None
T3N38R15 Wrote:but full security is not exist
Thanks for your reply Smiley1. Will you please suggest something wink ?

09-20-2014, 01:31 AM #4
T3N38R15 Offline ? lawless-coder *****
Moderators
Posts:812 Threads:48 Joined:Jan 2014 Reputation: 126
Mood: Fine
i mean with that that in the function maybe some exploit or somthing but you can protect yourself against new attack's

[Image: xodhvlpa.jpg]
[Image: test.php]

10-21-2014, 12:13 AM #5
Matt Offline Junior Member **
Registered
Posts:2 Threads:0 Joined:Oct 2014 Reputation: 0
Mood: None
This is a correct prepared statement however the whole point of prepared statements is to not use:
PHP Code:
mysqli_real_escape_string(); 
.

Therefore, all you have to do is this:
PHP Code:
$id $_GET['id']; 

10-21-2014, 12:18 AM #6
T3N38R15 Offline ? lawless-coder *****
Moderators
Posts:812 Threads:48 Joined:Jan 2014 Reputation: 126
Mood: Fine
Matt this is double security Smiley1

[Image: xodhvlpa.jpg]
[Image: test.php]

10-21-2014, 02:01 AM #7
Matt Offline Junior Member **
Registered
Posts:2 Threads:0 Joined:Oct 2014 Reputation: 0
Mood: None
A prepared statement sends the query before the data, so therefore running
PHP Code:
mysqli_real_escape_string(); 
will have no effect. Just by passing the data separately, you are protected from SQL Injection. Therefore you can say double security, but really it's just an unnecessary line of code Smiley1

10-21-2014, 04:21 AM #8
SickSpawn Offline You have an error in your SQL syntax; ***
TeaM MaDLeeTs
Posts:85 Threads:28 Joined:Sep 2014 Reputation: 2
Mood: Hacker
Good job man Smiley1

[#] Twitter: sickspawnhy
[#] Jabber : [email protected]






Forum Jump:


Users browsing this thread:1 Guest(s)