The Netlobo logo - a Nevada desert landscape

Netlobo > Articles > Preventing MySQL Injection attacks with PHP > Comments

Comments for Preventing MySQL Injection attacks with PHP

< Back to the article

8 comments for this article.

RSS Feed Icon Subscribe to the comments for this article

Posted: 2007-11-06 18:03:26 by deepak
This is great web site to a beginer as well as a professional....
Really marvelleous...
Thanks fro this knid of depth internal knowledge...
Its really intresting to read this...
Posted: 2007-11-20 09:09:19 by senthil
Its very good and it works fine
very useful function u have written
how to handle this in the case of mssql.
Expecting your reply
Posted: 2007-11-20 09:10:03 by lobo235 - Netlobo Staff Member
I am not familiar with MSSQL. I have only worked with Oracle and MySQL.
Posted: 2007-11-29 11:17:02 by Robert
the quote_smart function given here, taken from the php docs, has some flaws. you should refer to the notes in the documentation for updated versions and discussion on changes

http://us3.php.net/manual/en/function.mysql-real-escape-string.php#78893
Posted: 2008-08-19 09:29:35 by killbill
Is there some reason I am missing why this code will only work when I create a session with session_start()

When I run this code on a form without session_start() is does not work?
Posted: 2008-08-19 09:30:27 by lobo235 - Netlobo Staff Member
This code does not rely on a call to session_start(). You must have something else in your code that relies upon it.
Posted: 2008-08-27 19:40:26 by NachoF
I am trying to replicate this vulnerabilities but I can never seem to actually exploit it...

$sql="SELECT login, password,privilegio FROM usuario WHERE login='".$login."' AND password='".$password."'";

I have tried typing ' OR ''='' into my input text box but it never passes the
if($num_rows>=1)
{
header("Location: frame1.html?nom=$login");
}

When I normally type the correct name and password it does.
Posted: 2009-10-10 05:33:35 by jurerick
Wow great! thnx

RSS Feed Icon Subscribe to the comments for this article

Post your comment for the Preventing MySQL Injection attacks with PHP article:

Name (required) (letters and numbers only):
Email (required) (will not be published):
Website (include http://):
Comment (required): (HTML tags allowed: pre, strong, em, b, i)