Results 1 to 3 of 3

Thread: MySQL Injection

  1. #1

    MySQL Injection

    At the end of a Flash game I'm developing I have a submission form which submits the players score, as well as user entered values for first name, last name, email address etc.

    These values are sent as variables to an amfphp service which enters them into a MySQL database.

    I'm aware of the need to prevent MySQL injection, be it accidental or malicious, and had thought it would be a simple case of using some php string functions on the variables before entering them into the database.

    However, if I enter:

    INSERT ";" WHERE id='firstName'

    As the 'firstName' variable, I get the "You have an error in your syntax message".

    I have tried

    htmlspecialchars(theString)
    strip_tags(
    theString)
    htmlentities(
    theString)

    But none of them seem to prevent the database from thinking I am trying to insert a new row.

    If anyone can advise on this matter I'd very much appreciate it.

  2. #2
    Sorted. For anyone else having trouble:

    PHP Code:
        function no_inject($value) {
            
    // Stripslashes
            
    if (get_magic_quotes_gpc()) {
                
    $value stripslashes($value);
            }
            
    // Quote if not integer
            
    if (!is_numeric($value)) {
                
    $value =  mysql_real_escape_string($value);
            }
            return 
    $value;
        } 

  3. #3

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Home About kirupa.com Meet the Moderators Advertise

 Link to Us

 Credits

Copyright 1999 - 2012