[PHP] Protection from SQL injection

PHP Code:

<?php
session_start();
if(!is_numeric($_GET['id']))
{
die("If i am vuln on this, i will not be a coder !");
}[/color]
    $result = mysql_query("SELECT * FROM notifications WHERE id='$id'");
        while($row = mysql_fetch_array($result))
        {
          $text = $row['text'];
        echo $text;
        }
?>

(07-25-2011, 04:30 AM)KaiT_AleX Wrote:

[To see links please register here]

PHP Code:

<?php
session_start();
if(!is_numeric($_GET['id']))
{
die("If i am vuln on this, i will not be a coder !");
}[/color]
    $result = mysql_query("SELECT * FROM notifications WHERE id='$id'");
        while($row = mysql_fetch_array($result))
        {
          $text = $row['text'];
        echo $text;
        }
?>

Give me +1rep if you like this ! :biggrin:
What if you have an alphanumeric id? The best way to prevent SQL injection is to strip, escape, or replace characters that can harm your query string.

mysql_real_escape_string()
can help you there.

usually you know if your id contain numeric or alphanumeric values, anyway,
i used to do like this :
if (preg_match("#^[0-9]#", $_GET['id'])) echo "thats cool";
else die "wtf are you doing";

for alphanumeric thats working:
if (preg_match("#^[a-zA-Z0-9]#", $_GET['id']))

Thanks for the share. I will be needing this when i have my website up and running. Ill reward $20 if you can hack my site.

(08-06-2011, 09:46 AM)slbmeh Wrote:

[To see links please register here]

What if you have an alphanumeric id? The best way to prevent SQL injection is to strip, escape, or replace characters that can harm your query string.

He's 100% spot on with this advice. It's a good to get into the habit of doing the above instead of writing you're own solutions. Something else that's worth using is mod_security.

Good share once again ill use this sometimes

I would have used these functions to do that:

PHP Code:

mysql_real_escape_string(); 


PHP Code:

stripslashes(); 


And instead of this:

PHP Code:

$result = mysql_query("SELECT * FROM notifications WHERE id='$id'"); 


I would have added in this sign for the mysql query being sent in (@).

PHP Code:

$result = @mysql_query("SELECT * FROM notifications WHERE id='$id'"); 


It should disable error outputs, which you should also disable through your php.ini.

Something else to remember is just because you don't output an error doesn't mean you can get exploited. Blind SQL injection is tricky, but not impossible. I'll post some code later I wrote a while back to demonstrate it.

I need help with a project can anyone help, a secure project if you get my drift, and youy certainly are the people to get advice from. Cheers! My skype id is silverbuyer