TalkPHP - View Single Post - SQL Injection and mysql_real_escape_string

Durux · 05-01-2008, 10:49 AM

I have heard that it is still possible to use SQL Injections even with the use of mysql_real_escape_string() though not the most common ones.

If this is true, why not use a preprepared SQL sentence.
This will be a slower code of course, but it will eliminate SQL Injections in a login form.

EX:

PHP Code:


			
/*Inputted: $pUsername and $pPassword from the login form*/



$link = mysql_connect('localhost','username','password') or die('Invalid connection: '.mysql_error());

$db = mysql_select_db('database',$link) or die('Invalid Database: '.mysql_error());



$sql = "SELELCT username, password, rank FROM example_users";

$result = mysql_query($sql,$link) or die('Invalid Query: '.mysql_error());



while($row = mysql_fetch_assoc($result)){

    

    $szArray[]['username'] = $row['username'];

    $szArray[]['password'] = $row['password'];

    $szArray[]['rank'] = $row['rank'];

    

}



$j = count($szArray);

$salt = 'not this one';/*You just never know*/

$pPassword = md5($salt.$pPassword);

$chBool = false;



for($i=0; $i<$j; $i++){

    

    if($szArray[$i]['username'] == $pUsername){

        

        if($szArray[$i]['password'] == $pPassword){

            

            $chBool = true;

            $user = $szArray[$i]['username'];

            $i = $j;

            

        }

        

    }

    

}



mysql_close($link);



if($chBool == true){

    echo "Welcome $user.";

}

else{

    echo "Wrong username or password.";

}

With this there is no way you could use SQL Injection.
I know this can not be made for every single Query but for the most important like the login it could be quite good.

This of course only goes if it's true that even mysql_real_escape_String() can't stop every SQL Injection.

05-01-2008, 10:49 AM	#1 (permalink)
Durux The Wanderer Join Date: Apr 2008 Posts: 12 Thanks: 7	SQL Injection and mysql_real_escape_string I have heard that it is still possible to use SQL Injections even with the use of mysql_real_escape_string() though not the most common ones. If this is true, why not use a preprepared SQL sentence. This will be a slower code of course, but it will eliminate SQL Injections in a login form. EX: PHP Code: /Inputted: $pUsername and $pPassword from the login form/ $link = mysql_connect('localhost','username','password') or die('Invalid connection: '.mysql_error()); $db = mysql_select_db('database',$link) or die('Invalid Database: '.mysql_error()); $sql = "SELELCT username, password, rank FROM example_users"; $result = mysql_query($sql,$link) or die('Invalid Query: '.mysql_error()); while($row = mysql_fetch_assoc($result)){ $szArray[]['username'] = $row['username']; $szArray[]['password'] = $row['password']; $szArray[]['rank'] = $row['rank']; } $j = count($szArray); $salt = 'not this one';/You just never know/ $pPassword = md5($salt.$pPassword); $chBool = false; for($i=0; $i<$j; $i++){ if($szArray[$i]['username'] == $pUsername){ if($szArray[$i]['password'] == $pPassword){ $chBool = true; $user = $szArray[$i]['username']; $i = $j; } } } mysql_close($link); if($chBool == true){ echo "Welcome $user."; } else{ echo "Wrong username or password."; } With this there is no way you could use SQL Injection. I know this can not be made for every single Query but for the most important like the login it could be quite good. This of course only goes if it's true that even mysql_real_escape_String() can't stop every SQL Injection.