Jesus 'n Jim
A PC and somewhat Mac oriented site with Software and Repair Info and How-To's on Using Computers

Avoiding SQL Injection Attacks

 

For the benefit of general PHP/MySQL scripters (and without having looked through this particular script's source), I would suggest a few precautions that anyone should take:

  • Make sure that single quotes, double quotes and backslashes can't get into your queries - either by removing them, or escaping them — addslashes(), stripslashes(),  mysql_real_escape_string(), etc.
  • Limit the size of strings that your users can input - in cases like username and password, set a maximum length of, say, 8 characters, and truncate input strings at that limit (or reject them).  That limits the scope for tacking on things like "AND 1=1" to the end of user names.
  • Catch errors to a log to which users do not have access - they only need to know that 'an error occured', and not that it occured in the query "SELECT foo FROM baa WHERE shamalama = 'dingdong'", information that may be useful to an attacker.
And I'm sure there's plenty more....