securing against mysql injection

[Tonka]

i need some help securing against mysql injection

[Halo]

Re: securing against mysql injection

Whats the exact injection?

[Tonka]

Re: securing against mysql injection

any and all injection

[Guest Anonymous]

Re: securing against mysql injection

All SQL injection can be prevented simply by writing your queries properly and sanitizing data *before* it reaches the mysql_query function.

There are a number of topics that discuss this at length in the forums here.

Primary function of note is mysql_real_escape_string()

[AlabamaHit]

Re: securing against mysql injection

So this

 

$amt=5000;
$query = sprintf("UPDATE users SET money=money+($amt) WHERE userid='%s' ",
mysql_real_escape_string($userid));

mysql_query($query);

 

would be better than this?

 

$amt=5000;
$db->query=("UPDATE users SET money=money=($amt) WHERE userid=$userid");

 

Or is there a better way to write that? Please an example. :-D

[Magictallguy]

Re: securing against mysql injection

Nice to see you again AH!

Anyway yes :P

Note: "mres" stands for "mysql_real_escape_string" (saves me from typing it out all the time!)

The idea of a mres is to clean the users input before it reaches the query.

Although the manual states to put mres after the query - Nyna's way (and I know this to be right as she effectively rewrote the entire thing xD) puts it before! xD

[Halo]

Re: securing against mysql injection

There is a post in Free Game Modifications that helps secure your game against injections

[The Ace]

Re: securing against mysql injection

Which pages are the most important ones to protect against SQL Injections?

[Guest Anonymous]

Re: securing against mysql injection

Everyone.

Well one's that use the database.