Board index   FAQ   Search  
Register  Login
Board index php forum :: PHP and MySQL Security PHP & MySQL Security

send data with more security

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

send data with more security

Postby romina » Tue Aug 16, 2005 9:23 pm

hello and thanks for your good forum

my problem is in sending data from a form

I send data with $_POST['something'] and for example check it in a mysql query like this

" SELECT * FROM `users` WHERE username='$username' AND password='$password' "

I want to know if some user can see all of the table or enter to CMS instead of an admin and do all that want like this:

"SELECT * FROM users WHERE username='admin' or 1=1#"

please help me to have a secure code.
romina
New php-forum User
New php-forum User
 
Posts: 3
Joined: Tue Aug 16, 2005 9:07 pm

Postby victor123 » Tue Aug 16, 2005 11:50 pm

Hi,

To avoid having that kind of problems, you should check that every value the user can enter responds to the data you are expecting (i.e. a numeric field has only numbers and such). That can be done with js, although it is not advisable to rely only on js.

Besides, using mysql_real_escape_string() for every post data to escape (i.e. put a slash before) certain characters will take control of sql attacks as far as i know.

I use both js and mysql_real_escape_string(). Also, i check every query for the validity of the results (if i am expecting the query to return something and it doesn't return anything, i quit the application, for example).

Regards.
victor123
New php-forum User
New php-forum User
 
Posts: 192
Joined: Mon Sep 06, 2004 1:23 am
Location: Madrid, Spain

Postby romina » Wed Aug 17, 2005 12:20 am

thank you victor for your answer

it was very good can you tell me js code that use for this????

I will be so thanks
romina
New php-forum User
New php-forum User
 
Posts: 3
Joined: Tue Aug 16, 2005 9:07 pm

Postby victor123 » Wed Aug 17, 2005 1:29 am

Well, there are many routines to check for fields. For example, you can use isNaN(field.value) to check whether it is a numeric value or not. I am not a js expert, so i suggest posting js problems in the appropriate forum.

Regards.
victor123
New php-forum User
New php-forum User
 
Posts: 192
Joined: Mon Sep 06, 2004 1:23 am
Location: Madrid, Spain


Return to PHP & MySQL Security

Who is online

Users browsing this forum: No registered users and 1 guest

Sponsored by Sitebuilder Web hosting and Traduzioni Italiano Rumeno and antispam for cPanel.

cron