Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
SQL Inject / mysqli_real_escape_string
#1
How to prevent sql injection using something other than mysqli_real_escape_string and statements of mysqli?
Reply
#2
I guess you mean "prepared statements"? Why can't you make use of them?

The alternative is of course to never directly put any user input into the query. This can be accomplished by comparing the input against certain, known constants, and setting a matching constant in the query.

E.g.
Code:
if ($_GET['input'] === "test") {
    myvar = "testconstant";
}
else if (... === "test") {
    myvar = "testconstant";
}
mysql_execute("SELECT * FROM x WHERE y='$myvar'");

Other alternatives include running intval() or similar on the variables, so that you know that the result will be only a number.
Reply
 


Possibly Related Threads...
Thread Author Replies Views Last Post
  SQL Scanner A tool that uses public proxies to find and scan sites for sql injection teamkelvinsecteam 0 136 01-04-2019, 10:39 PM
Last Post: teamkelvinsecteam
  How to parse sql databases pker2theend 0 180 11-22-2018, 09:58 PM
Last Post: pker2theend



Users browsing this thread: 1 Guest(s)