Login
Important alert: (current site time 7/15/2013 11:09:14 AM EDT)
 

article

SQL Injections - The final solution to

 Email
Submitted on: 2/6/2009 8:59:53 AM
By: marcojetson  
Level: Beginner
User Rating: By 5 Users
Compatibility: PHP 4.0, PHP 5.0
Views: 6341
(About the author)
 
     Stop SQL Injections
 
 
Terms of Agreement:   
By using this article, you agree to the following terms...   
  1. You may use this article in your own programs (and may compile it into a program and distribute it in compiled format for languages that allow it) freely and with no charge.
  2. You MAY NOT redistribute this article (for example to a web site) without written permission from the original author. Failure to do so is a violation of copyright laws.   
  3. You may link to this article from another website, but ONLY if it is not wrapped in a frame. 
  4. You will abide by any additional copyright restrictions which the author may have placed in the article or article's description. 
				Here is a simple, yet effective, solution for avoiding SQL Injections.


Let's see a SQL Injection vulnerable sentence:

$r = mysql_query("SELECT * FROM s WHERE id = ".$_GET['id']."");


And the solution:

$r = mysql_query("SELECT * FROM s WHERE id = UNHEX('".bin2hex($_GET['id'])."')");


By converting the var in php, and reconverting it in the SQL sentence there's no chance to inject code.



tehwebmaster.blogspot.com / logikk.com.ar


Other 3 submission(s) by this author

 
Report Bad Submission
Use this form to tell us if this entry should be deleted (i.e contains no code, is a virus, etc.).
This submission should be removed because:
Your Vote

What do you think of this article (in the Beginner category)?
(The article with your highest vote will win this month's coding contest!)
Excellent  Good  Average  Below Average  Poor (See voting log ...)
 
Other User Comments

2/6/2009 3:28:30 PMBheesham Persaud

thats smart... good job :)
(If this comment was disrespectful, please report it.)
 
2/10/2009 8:18:45 AMJason Stack

THis is great and all, but it doesn't really look so good having lots of PHP functions in your query. I'd suggest you just become a strict PHP coder and put single quotes around the WHERE part and sanitize input with the mysql_real_escape_string() function.
(If this comment was disrespectful, please report it.)
 
11/2/2009 5:30:56 AMsonday

I do with secureURL function (javascript)
(If this comment was disrespectful, please report it.)
 
5/23/2010 10:54:57 AMTom Honaker

Seconding what Jason said. I've used single-quoted field contents passed through MySQL's escaping function and that, coupled with a security module that prechecks form fields for injections, etc. has made my code completely invulnerable to every pen test I've thrown at it.
(If this comment was disrespectful, please report it.)
 
4/7/2011 6:56:15 AMlinxlad

Converting to hex, clever. POST is a more secure way rather than GET but like it :)
(If this comment was disrespectful, please report it.)
 
Add Your Feedback
Your feedback will be posted below and an email sent to the author. Please remember that the author was kind enough to share this with you, so any criticisms must be stated politely, or they will be deleted. (For feedback not related to this particular article, please click here instead.)
 

To post feedback, first please login.

Search:

Newest postings for PHP.

Add this ticker to my site

Daily code email

Click here to join the 'Code of the Day' mailing list!

This site on CD

Over 7,000 submissions on a super fast CD!

Code/Articles

Top Code

Community

Jobs

Other

Goto…

Copyright© 1997-2013 by Exhedra Solutions, Inc. All Rights Reserved.
By using this site you agree to its Terms and Conditions. Planet Source Code™ and the phrase "Dream It. Code It"™ are trademarks of Exhedra Solutions, Inc.