Reece S — Mon, 17 Dec 2007 17:07:48 +0000

mscreashuns: I kinda understand, but I will probably be raking wikipedia before the nights out.
Cheers for ur reply.

pr0gr4mm3r — Mon, 17 Dec 2007 15:35:26 +0000

Quote: OMFG!!! T^hat is soo scary! will this simple escape string script prevent that? (the video)

Yup, that function escapes characters like single quotes (') to prevent attacks like this. Just make sure that you escape your inputs and enclose your fields in single quotes (which you are already doing) when you write SQL queries.

Quote: Thanks Programmer, you have really helped me out these last few days, I am very greatful for everything. and good luck with your own website too.

You're welcome. Glad to be a help.

mscreashuns — Mon, 17 Dec 2007 12:46:35 +0000

I can't think of the exact technical way to explain this, but just think of it like this:

PHP is a server-side language that works with the server to render the code. This code is output to the user's computer as HTML, and so there actually is no PHP in the page source. The PHP lies in the file itself, but the viewer only sees the web page.

Does that make any more sense to you than it sounds like it does?

Reece S — Mon, 17 Dec 2007 11:42:18 +0000

OMFG!!! T^hat is soo scary! will this simple escape string script prevent that? (the video)

can someone please try and do that injection thing on my website, I want to see if it will hold out.

I noticed something... when I upload, then take a look at the online source (via browser) the php script is hidden, how, and why is that? Its good, as it hides the page's tasks and technology, plus if someone copies, and pastes, it wont work properly, but why does it do it? surly there is a more technical reason, not just for security.

Reece S — Mon, 17 Dec 2007 11:36:56 +0000

interesting... IDK why someone would want to wreck anothers hard work, but thats why we all have firewalls i guess

Thanks Programmer, you have really helped me out these last few days, I am very greatful for everything. and good luck with your own website too.
Thanks again.

pr0gr4mm3r — Mon, 17 Dec 2007 04:16:30 +0000

Yes, that looks good. As for your SQL injection question, here are a couple of resources that could explain it better than I can.

http://en.wikipedia.org/wiki/SQL_injection - Wikipedia article on it

http://unixwiz.net/techtips/sql-injection.html - Several examples

http://www.youtube.com/watch?v=MJNJjh4jORY - Video with the use of SQL injection to break into a university site.

Reece S — Sun, 16 Dec 2007 23:35:27 +0000

right, just so we clear, this is my current newsletter process file...

<?php
include(\"dbconnect.php\");
mysql_select_db(pcgenius_members)
or die (\"Could not select database because \".mysql_error());
$category=mysql_real_escape_string($_POST['category']); 
$email=mysql_real_escape_string($_POST['email']); 
$check = \"select email from newsletter where email = '\".$_POST['email'].\"'\";
$qry = mysql_query($check)
or die (\"Could not match data because \".mysql_error());
$num_rows = mysql_num_rows($qry);
if ($num_rows != 0) {
header('location: email_taken.php');
} else {
mysql_query(\"INSERT INTO `newsletter` VALUES ('$category', '$email')\"); 
header('location: registered.php'); 
}
 
?>

look OK?

Reece S — Sun, 16 Dec 2007 23:33:01 +0000

aha, sorted, this is OK. but what exactly would a malicious programmer be able to do with the previous version?
in other words, what harm would queries hold? as long as they arent "INSERT"s

pr0gr4mm3r — Sun, 16 Dec 2007 23:09:43 +0000

Yup, that's all that's needed. You might have to connect to the database before you run that though. Just move the mysql_select_db(pcgenius_members) or die ("Could not select database because ".mysql_error()); line to the top.

Reece S — Sun, 16 Dec 2007 22:51:18 +0000

OK, would that by any chance do this?

replace...

<?php
$fname=($_POST['fname']); 
?>

with...

<?php
$fname=mysql_real_escape_string($_POST['fname']); 
?>

Is that what you mean?