Part of php code to prevent hacking

Question

Part of php code to prevent hacking

I have a php file on my site and I connect to db, get some entries and list them in one file.

mysql_connect("localhost", "blabla", "blabla") or die(mysql_error()); mysql_select_db("blabla") or die(mysql_error()); $blabla1 = mysql_query("SELECT * FROM gallery WHERE id_cat=1"); $blabla2 = mysql_query("SELECT * FROM gallery WHERE id_cat=2"); $blabla3 = mysql_query("SELECT * FROM gallery WHERE id_cat=3");

So, is there anything I need for security? Like sql injection or something else. there is nothing like a URL. It is just www.blabla.com/gallery.php .

+7

security php mysql

designer-trying-coding Apr 16 '10 at 8:32

source share

6 answers

As long as your queries do not use parameters, SQL Injection is not a risk. SQL injection can happen only when users (or other sources) can influence everything that is sent to the database in SQL, for example, search words

+4

Jasper Apr 16 '10 at 8:34

source share

There are no security issues here. SQL injection can happen when you get input from a user and use it in your queries.

+2

pars Apr 16 '10 at 8:35

source share

if the gallery table contains some user input, then some kind of XSS attack can be carried out. To avoid this, all unreliable user input should be prepared using the htmlspecialchars() function before printing to the browser.

+2

Your common sense Apr 16 '10 at 8:41

source share

This snippet is safe because there is no user input in the queries.

if you have a userinput, for example, having received a category that should be displayed from a URL or POST, you should use prepared instructions. it can be safe even when entering the user. This is much safer than pure escaping, as sql is parsed and then parameters are inserted. This is better for performance, and userinput cannot change the structure of the SQL query.

+1

Patrick cornelissen Apr 16 '10 at 8:40

source share

The only thing you might want to consider when considering that the connection code is in a web-accessible PHP script is as follows:

move the MySQL connection from the script and to the file outside the root of the site document
or use variables from outside (that is, from another file outside the document root) for the username and password instead of the hard-coded details in the script

Thus, if for some reason the server displays the code instead of rendering PHP, then the data will remain safe from viewing

0

Cez Apr 16 '10 at 9:15

source share

Pekka 웃 · Accepted Answer · 2010-04-16T08:34:57+0000

This snippet is completely safe since there are no variables in the query string.

To work safely, if you have to deal with variables one day - whether they come directly from the user or from another data source - you can switch to the mySQL library, which supports parameterized queries, such as PDO . They completely eliminate the danger of injections, because they automatically go beyond the incoming data.

If you adhere to the mysql_* functions, make sure you delete ~~all incoming~~ any data using mysql_real_escape_string () and make sure they are inserted in a pair of single quotes.

Part of php code to prevent hacking

More articles: