Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!
Moderators: macek, egami, gesf
by maurits » Fri Mar 25, 2005 4:25 am
Hello everyone!
After reading the sticky posts in this forum about security, I'd like to know if the following would be a secure way to get information from a database:
- Code: Select all
function getCompanionInfo($id,&$returnArray){
global $dbConnection;
if(is_integer($id)){
$query = sprintf("SELECT * FROM companions WHERE companion_id = %d LIMIT 1",$id);
$result = mysql_query($query,$dbConnection);
$returnArray = mysql_fetch_array($result);
return $returnArray;
} else {
die("This script is protected against SQL injection.");
}
}
Any thoughts would be greatly appreciated!
Kind regards,
Maurits
-
maurits
- New php-forum User
-
- Posts: 31
- Joined: Fri Mar 26, 2004 3:27 pm
- Location: Eindhoven, The Netherlands
by AeroX » Fri Nov 07, 2008 12:25 am
I realise that this is a several year old thread but it saves be creating my own on a simular topic.
The basic rules of how to write more secure SQL:- All table and coloum names sould be enclosed between two of these `.
- All data you are providing sould be enclosed between two of these '.
- Conditional sections of the sql sould be in brackets ().
- SQL functions(?) sould be in uppercase.
- SQL querys sould end with a semi-colon (;).
Example:
- Code: Select all
SELECT * FROM `companions` WHERE (`companion_id`='%d') LIMIT 1;
-
AeroX
- New php-forum User
-
- Posts: 142
- Joined: Sun May 11, 2008 1:40 am
- Location: London, UK
-
Return to PHP & MySQL Security
Who is online
Users browsing this forum: No registered users and 1 guest
