2

I'm worried about sql injection, so how do i prevent it? I'm using this script but have had several people tell me its very insecure, if anyone can help by telling me how it would be great :).

source code:

if(isset($_POST['lastmsg']))
{
$lastmsg=$_POST['lastmsg'];
$result=mysql_query("SELECT * FROM updates WHERE item_id<'$lastmsg' ORDER BY item_id DESC LIMIT 16");
$count=mysql_num_rows($result);
while($row=mysql_fetch_array($result))
{
$msg_id=$row['item_id'];
$message=$row['item_content'];
Improve this question
1
  • 1
    Is $lastmsg a numeric value? Commented Mar 31, 2011 at 22:40

5 Answers 5

Reset to default
6

Never, ever, put information from the user ($_POST or $_GET) directly into a query. If they are numbers, always convert them to integers first with (int)$var or intval($var); if they are strings, always escape them with mysql_real_escape_string().

Read https://www.php.net/mysql_real_escape_string and use it.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Note: Make sure you use mysql_real_escape_string NOT mysql_escape_string
2 
$lastmsg = intval($_POST['lastmsg']);
Improve this answer

2 Comments

This is the correct answer in this case. A check for a failed intval would be nice though, otherwise it will default to 0 which can have unintended consequences
Feel free to edit :) Thanks for suggestions. Yes, he should check if it is > 0.
1

The best solution is migrating to mysqli_ or PDO and using prepared statements for your queries.

Improve this answer

Comments

0

Make sure the magic_quotes_gpc directive is disabled in your PHP configuration (PHP.ini).

If lastmsg is a string and you are using mysql, do this:

$lastmsg = mysql_real_escape_string($_POST['lastmsg']);

If lastmsg is a string and your DBMS does not have a native escape function, do this:

$lastmsg = addslashes($_POST['lastmsg']);

If lastmsg should be a number, check for that instead and don't do any escaping. You can use function is_numeric() and then cast the numeric string to an integer using intval().

Improve this answer

Comments

0

You can simply add this :

$lastmsg=addslashes($_POST['lastmsg']);

for a larger scale you can use a more robust solution here is the function you can use

function escape_value($value) {
    $magic_quotes_active = get_magic_quotes_gpc();
    $new_php = function_exists("mysql_real_escape_string");
    if ($new_php){
        if ($magic_quotes_active){
            $value = stripslashes($value);
            }
        $value = mysql_real_escape_string($value);
    } else {
        if(!$magic_quotes_active) { $value = addslashes($value); }
    }
    return trim($value);
}

mysql_real_escape_string is not always available so here is a work around

Improve this answer

2 Comments

addslashes is not the right choice. You need to use mysql_real_escape_string() to be protected from injection. See stackoverflow.com/questions/3473047/…
Quoting the PHP documentation: "It's highly recommended to use DBMS specific escape function (e.g. mysqli_real_escape_string() for MySQL)"

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.