Jump to content
MakeWebGames

securing against mysql injection


Tonka

Recommended Posts

Guest Anonymous

Re: securing against mysql injection

All SQL injection can be prevented simply by writing your queries properly and sanitizing data *before* it reaches the mysql_query function.

There are a number of topics that discuss this at length in the forums here.

Primary function of note is mysql_real_escape_string()

Link to comment
Share on other sites

Re: securing against mysql injection

So this

 

$amt=5000;
$query = sprintf("UPDATE users SET money=money+($amt) WHERE userid='%s' ",
mysql_real_escape_string($userid));

mysql_query($query);

 

would be better than this?

 

$amt=5000;
$db->query=("UPDATE users SET money=money=($amt) WHERE userid=$userid");

 

Or is there a better way to write that? Please an example. :-D

Link to comment
Share on other sites

  • 4 weeks later...

Re: securing against mysql injection

Nice to see you again AH!

Anyway yes :P

Note: "mres" stands for "mysql_real_escape_string" (saves me from typing it out all the time!)

The idea of a mres is to clean the users input before it reaches the query.

Although the manual states to put mres after the query - Nyna's way (and I know this to be right as she effectively rewrote the entire thing xD) puts it before! xD

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...