Geek Answers Handbook

How SQL injection works and how I can protect it

Possible duplicate:
What is SQL injection?

I see a lot of php code floating around in stackoverflow and (too) little string escaping.

Can anyone

  • Explain what SQL injection is;
  • Explain what it can do with your server, data, and code;
  • Give an example of how to perform SQL injection
  • Give php example code how to protect against SQL injection
+5
source share
4 answers

I also can not resist.

SQL Injection - " , , ". , SQL- .

SQL Injections (, , ecc...) . , SQL Injections .

, PHP script ( ) , , :

SELECT Id FROM Users WHERE Name = $name AND Password = $password;

$name $password , (, <input>). , , "1 OR 1 = 1; --", :

SELECT Id FROM Users WHERE Name = 1 OR 1 = 1; -- AND Password = $password;

; script , .

, -- AND Password = $password; SQL .

PHP < 5, mysql_real_escape_string() , .

PHP5 +, PDO mysqli, .

+9

SQL- - SQL-, "" SQL, -, . ,

"SELECT * FROM `users` WHERE `username` = '$name'";

. "" , . , , , "OR 1 = 1",

"SELECT * FROM `users` WHERE `username` = '' OR 1=1";

1 1, , true , , , . , - . , - - "'; DROP TABLE users"; -,

"SELECT * FROM `users` WHERE `username` = ''; DROP TABLE `users`";--";

, , , ENTIRE users, .

SQL . SQL, -

"SELECT * FROM `users` WHERE `username` = '?'";

(WHERE username ), . , , . , . , .

, .

+11

.

1- Sql , .

2- , . , , , , . ( ..)

3- .

4 , PHP. , .

+10

( ) , .

  • , SQL-;
  • , , ;
  • , SQL-
  • php, SQL-

  • SQL- - , , , , , SQL. , (, %) .

  • , . , - , . , , (, , ).

  • , , . SQL-, - : MyName';DROP TABLE Users;-- , , -. , .

  • This one, I don’t know, has updated enough information, but there are many :)

+1
source

More articles:


All Articles