Basic SQL injection?

Question

Basic SQL injection?

I was informed in a previous question that my query is subject to SQL injection.

get_stats = mysql_query("SELECT * FROM visitors WHERE site='$_GET[site]' AND date BETWEEN '$start_date' AND '$end_date' ");

What would be the easiest way to approach this problem? And do you have additional readings on the subject of injections? (something that I can skip on Google). Thanks!

+4

sql php mysql sql-injection

Norbert Sep 11 '09 at 21:16

source share

3 answers

$ _ GET ['site'] is a value that comes directly from the browser URL, which means that the user can easily change this value to whatever he wants, you should check / misinform this value, all values are actually before sending to the database.

Something like this would be the beginning, it would still be possible to use more work, and there are many ways to do it, I would create a user-defined function / class to easily pass all variables through sitewide, which can just repeat things like this

 $site = mysql_real_escape_string($_GET['site']); $start_date = mysql_real_escape_string($start_date); $end_date = mysql_real_escape_string($end_date); get_stats = mysql_query("SELECT * FROM visitors WHERE site='$site' AND date >= '$start_date' AND date <= '$end_date' ");

+8

Jasondavis Sep 11 '09 at 21:21

source share

mysql_real_escape_string is the simplest and easiest form of security here.

+2

Ben shelock Sep 11 '09 at 21:19

source share

Richiehindle · Accepted Answer · 2009-09-11T21:17:16+0000

Use Prepared Reports .

In most cases, prepared statements do the job of combining your request with your parameters in a safe manner.

Basic SQL injection?

More articles: