Menu
Community /Pin to ProfileBookmark
@NogDogJan 16.2013 — #Well, if it broke when they entered that text, then it's probably not SQL injection proof. ?
The best way (IMO) is to use the MySQL[b]i[/b] or PDO database extension along with bound input parameters. If that is not feasible for some reason and you have to use the old (and now-deprecated) MySQLi extension, then you should cast any numeric field values to the appropriate type ( (int) or (float) ) or apply mysql_real_escape_string() to any character/string values.
Is my this password protection script safe from SQL injection?
Hi all,
I’ve had a bit of trouble with this script I found. Someone entered in some junk into the password field and broke my website for 15 minutes. I couldn’t get into FTP, or into my host’s control panel.
All they did was enter ==’1=1
That’s a pretty bad flaw!
I just don’t know how to apply ctype_alnum to ensure that only alphanumeric values are read by this script, so I can prevent failures like this from happening again.
Also is this script protected from SQL injection?
[ATTACH]15317[/ATTACH]
[canned-message]attachments-removed-during-migration
Sign in
to post a comment1 Comments(s) ↴
0
@NogDogJan 16.2013 — #Well, if it broke when they entered that text, then it's probably not SQL injection proof. ?The best way (IMO) is to use the MySQL[b]i[/b] or PDO database extension along with bound input parameters. If that is not feasible for some reason and you have to use the old (and now-deprecated) MySQLi extension, then you should cast any numeric field values to the appropriate type ( (int) or (float) ) or apply mysql_real_escape_string() to any character/string values.