sql injection

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

i have implemented a way to avoid sql injection from the php website
from this url
http://in.php.net/mysql_real_escape_string from the "Example #3 A
"Best Practice" query" section of this page

following are the steps i have followed after the form values are
submitted to a php file.

step 1.

$username = stripslashes($_POST["username"]);

$username = $_POST["username"];

step 2.

$conn = mysql_connect($hostname, $user, $password);

step 3.

$insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES
('%s', ...)", mysql_real_escape_string($username, $conn),


step 4.

header("Location: http://website/dberror.html");

mysql_select_db($database, $conn);

$insertqueryresult = mysql_query($insertquery);

    if(!$insertqueryresult)    {
    header("Location: http://website/error.html");
    exit;                     }


with the above method i am able to insert values into the table even
with if i enter the ' special character which can cause


i have also used a simple sql insert query like

$insertquery = "INSERT INTO table(username, ...) VALUES
('$username', ...)";

when i used this simple insert query and if i entered ' in the form
and submitted the form the php file is unable to process

the information entered because of the ' character and as per the code
error.html file is being displayed where as if i use

$insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES
('%s', ...)", mysql_real_escape_string($username, $conn),


even if i enter any number of ' characters in more than 1 form field
data is being inserted into the table

so i am thinking that the steps i have taken from the php site is
correct and the right way to avoid sql injection though

there are several ways to avoid sql injection.

for example if i enter data in the form as = abc'''def for name, the
data in the table for the name field is being written as


based on how i have written the steps to avoid sql injection is this
the right way for the data to be stored with '

characters along with the data example as i mentioned = abc'''def

please answer the questions a) and b) if there is something else i
need to do please suggest what needs to be done exactly

and at which step.

any help will be greatly appreciated.


Re: sql injection

Quoted text here. Click to load it

Neither a) nor b) are questions, they are statements. However, if you  =

apply mysql_real_escape_string() over every user supplied variable you'r=
e  =

reasonably safe. There are some caveats whith very rare connection  =

collation & broken multibyte chars I gather, which would require some  =

specific setup to be vulnerable. The real deal, i.e. safest, are of cour=
se  =

prepared statements, available in mysqli or PDO.
-- =

Rik Wasmus
...spamrun finished

Site Timeline