Comments on: Stopping SQL Injections

By: NickDuncan

NickDuncan — Sun, 13 Dec 2009 18:36:47 +0000

Thanks for the input guys. As and when I learn more, I’ll keep it updated.

By: Relic Viper

Relic Viper — Sun, 13 Dec 2009 16:48:22 +0000

Shot man… very good article.
defiantly going to add this to my scripts

By: Wogan

Wogan — Fri, 11 Dec 2009 16:13:01 +0000

In my scripts I generally have a startup file – one that includes all the other functions, connects to the database, etc. One function in particular (“request_clean()”) is run on all the inputs, like so:
foreach($_GET as $key => $value) { $_GET[$key] = request_clean($value); };
request_clean does all the fancy escaping, etc, cleaning the data before you even use it in your script. Chances are it’s not entirely foolproof, but it’s an easy-to-implement step.
~ Wogan

By: NickDuncan

NickDuncan — Fri, 11 Dec 2009 04:02:59 +0000

Thanks Robert. You’re absolutely right, the more roadblocks you have the better. Rather be safe than sorry!

By: Robert Bravery

Robert Bravery — Thu, 10 Dec 2009 21:26:50 +0000

Nice article. Probably a bit technical for most users, and probably most never knew this actually happens.
I hardly ever have variable in my query string for starters. I always sanitise my variables .
You can use session variables instead, still sanitise and do the necessary.
Necer construct your query string from your variables. You know what you SQL query should look like. Construct it yourself. Only take the value of the parameter, then as you demonstrate check and clean the variable out.
Never use Dynamic queries. Use parametrised queries.
Always test and be vigilant. Never think that if you implement one solutions that you are safe. Implement as many roadblocks as you can.