deceylon Posted March 23, 2008 Share Posted March 23, 2008 Have you heard about SQL INJECTION.Is it only applicable to MS SQL ?How do you compare MY SQL and MS SQL in the cotext of SECURITY. Link to comment Share on other sites More sharing options...
Synook Posted March 23, 2008 Share Posted March 23, 2008 They are about equal in security (in terms of SQL injection). Most techniques that are used for SQL injection can be applied to both types. Link to comment Share on other sites More sharing options...
astralaaron Posted April 6, 2008 Share Posted April 6, 2008 i was recently reading about it, I think it is important to know about what you are making your databases secure from... they work on MySQL also don't let people enter quotes into your text fields! escape the string!! Link to comment Share on other sites More sharing options...
supertrucker Posted May 3, 2008 Share Posted May 3, 2008 I didn't know anything about this, and just started reading about it also. Here's the link to the w3schools description and example on this topic:http://www.w3schools.com/php/func_mysql_re...cape_string.aspEdit:This is a fairly important topic, maybe someone should pin this? Link to comment Share on other sites More sharing options...
zppblood Posted May 4, 2008 Share Posted May 4, 2008 SQL Injection is where a user can enter their own SQL code. An example would be,Your code with PHP variables:"SELECT * FROM users_table WHERE username='$username' AND password='$password'"User enters an administrator account into the username box and ' OR '1'='1 into the password box looks like this with your SQL:"SELECT * FROM users_table WHERE username='MyAdminAccount' AND password='' OR '1'='1'"You should see that the logic in the SQL code checks to see if your passwords match OR 1=1. We know 1=1 so it is true and will grab the information you planned on getting.It is important to know exactly what you want the user to enter. You can use regular expressions, functions, etc. to check the information they entered. Also use mysql(i)_real_escape_string() as it escapes characters such as ', ", \, etc.EDIT: Read the php, mysql manuals. Link to comment Share on other sites More sharing options...
supertrucker Posted May 5, 2008 Share Posted May 5, 2008 I also found this on the php.net website which includes several discussions on the topic, as well as several examples:http://us2.php.net/manual/en/function.mysq...cape-string.php Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.