SQL injection

[deceylon]

Have you heard about SQL INJECTION.Is it only applicable to MS SQL ?How do you compare MY SQL and MS SQL in the cotext of SECURITY.

[Synook]

They are about equal in security (in terms of SQL injection). Most techniques that are used for SQL injection can be applied to both types.

[astralaaron]

i was recently reading about it, I think it is important to know about what you are making your databases secure from... they work on MySQL also don't let people enter quotes into your text fields! escape the string!!

[supertrucker]

I didn't know anything about this, and just started reading about it also. Here's the link to the w3schools description and example on this topic:http://www.w3schools.com/php/func_mysql_re...cape_string.aspEdit:This is a fairly important topic, maybe someone should pin this?

[zppblood]

SQL Injection is where a user can enter their own SQL code. An example would be,Your code with PHP variables:"SELECT * FROM users_table WHERE username='$username' AND password='$password'"User enters an administrator account into the username box and ' OR '1'='1 into the password box looks like this with your SQL:"SELECT * FROM users_table WHERE username='MyAdminAccount' AND password='' OR '1'='1'"You should see that the logic in the SQL code checks to see if your passwords match OR 1=1. We know 1=1 so it is true and will grab the information you planned on getting.It is important to know exactly what you want the user to enter. You can use regular expressions, functions, etc. to check the information they entered. Also use mysql(i)_real_escape_string() as it escapes characters such as ', ", \, etc.EDIT: Read the php, mysql manuals.

[supertrucker]

I also found this on the php.net website which includes several discussions on the topic, as well as several examples:http://us2.php.net/manual/en/function.mysq...cape-string.php