Comments on: Prevent SQL Injections with PHP http://woolie.co.uk/2007/01/prevent-sql-injections-with-php/ Cycling, Motoring and Web Development. Sun, 05 Jul 2009 00:28:35 +0000 http://wordpress.org/?v= By: Kamlesh Chaube http://woolie.co.uk/2007/01/prevent-sql-injections-with-php/#comment-9041 Kamlesh Chaube Fri, 19 Jun 2009 13:10:58 +0000 http://woolie.co.uk/archives/115#comment-9041 Great !!! I like this help. Thanks, Great !!!
I like this help.
Thanks,

]]> By: vonnero http://woolie.co.uk/2007/01/prevent-sql-injections-with-php/#comment-8034 vonnero Wed, 15 Apr 2009 18:01:43 +0000 http://woolie.co.uk/archives/115#comment-8034 Great and direct to the point.... thanks Great and direct to the point…. thanks

]]> By: jesper http://woolie.co.uk/2007/01/prevent-sql-injections-with-php/#comment-7608 jesper Wed, 11 Mar 2009 14:13:07 +0000 http://woolie.co.uk/archives/115#comment-7608 http://jesperkampmann.com/prevent-sql-injection.html This website has a code there automatic escape all incomming data: _POST, _SESSION, _COOKIE, _GET, _FILE :-) http://jesperkampmann.com/prevent-sql-injection.html

This website has a code there automatic escape all incomming data:
_POST, _SESSION, _COOKIE, _GET, _FILE :-)

]]> By: Amatoc Industries http://woolie.co.uk/2007/01/prevent-sql-injections-with-php/#comment-5777 Amatoc Industries Tue, 16 Dec 2008 07:24:08 +0000 http://woolie.co.uk/archives/115#comment-5777 For making sure that something is an integer, you dont have to use the is_integer() function followed by an ugly OR DIE(). You can more simply just cast the input as an int using the following code: $id = (int)$_GET['id']; This casts the variable as one of type int. int variables cannot store any data other than ints. So... it is unable to store text. As such, malicious input such as 12' OR 1=1 ' would just become 12. I use this method myself to sanitize int inputs and it works like a charm For making sure that something is an integer, you dont have to use the is_integer() function followed by an ugly OR DIE(). You can more simply just cast the input as an int using the following code:

$id = (int)$_GET['id'];

This casts the variable as one of type int. int variables cannot store any data other than ints. So… it is unable to store text. As such, malicious input such as 12′ OR 1=1 ‘ would just become 12.

I use this method myself to sanitize int inputs and it works like a charm

]]> By: Android http://woolie.co.uk/2007/01/prevent-sql-injections-with-php/#comment-4892 Android Thu, 13 Nov 2008 00:51:02 +0000 http://woolie.co.uk/archives/115#comment-4892 Super, just what I needed. One question: If mysql_real_escape_string() takes care of the problem why do the numeric and length checks? Super, just what I needed. One question: If mysql_real_escape_string() takes care of the problem why do the numeric and length checks?

]]> By: Woolie http://woolie.co.uk/2007/01/prevent-sql-injections-with-php/#comment-1406 Woolie Sun, 20 Apr 2008 22:41:42 +0000 http://woolie.co.uk/archives/115#comment-1406 Hi Roel, as the notice at the top of this post states, the code used in this post may be out of date. Please make sure you verify with other sources before using it. To answer your question, no there is no real difference. The only thing I would note is that in the second one, to make the result exactly the same as the first, you may want to rewrite like so: <pre lang="php"> $result = mysql_query("SELECT* FROM animals WHERE name = $safe"); </pre> Hi Roel, as the notice at the top of this post states, the code used in this post may be out of date. Please make sure you verify with other sources before using it.

To answer your question, no there is no real difference. The only thing I would note is that in the second one, to make the result exactly the same as the first, you may want to rewrite like so:

$result = mysql_query("SELECT* FROM animals WHERE name = $safe");
]]> By: Roel http://woolie.co.uk/2007/01/prevent-sql-injections-with-php/#comment-1399 Roel Sun, 20 Apr 2008 07:40:35 +0000 http://woolie.co.uk/archives/115#comment-1399 Is there a difference between: $query = "SELECT * FROM animals WHERE name = $safe"; $result = mysql_query( $query ); $query = mysql_query("* FROM animals WHERE name = $safe"); Is there a difference between:

$query = “SELECT * FROM animals WHERE name = $safe”;
$result = mysql_query( $query );

$query = mysql_query(”* FROM animals WHERE name = $safe”);

]]> By: Nick http://woolie.co.uk/2007/01/prevent-sql-injections-with-php/#comment-354 Nick Wed, 25 Jul 2007 10:43:02 +0000 http://woolie.co.uk/archives/115#comment-354 When you want to use a numeric value, you can just use this : $id = (int)$_GET['id']; When you want to use a numeric value, you can just use this :

$id = (int)$_GET['id'];

]]> By: johni http://woolie.co.uk/2007/01/prevent-sql-injections-with-php/#comment-353 johni Thu, 31 May 2007 15:12:09 +0000 http://woolie.co.uk/archives/115#comment-353 Great article, i must say simply the best! Great article, i must say simply the best!

]]> By: harry http://woolie.co.uk/2007/01/prevent-sql-injections-with-php/#comment-352 harry Tue, 15 May 2007 06:14:30 +0000 http://woolie.co.uk/archives/115#comment-352 nice one dude nice one dude

]]>