Home/ Questions/Q 8317695
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-08T21:41:38+00:00

Possible Duplicate: The ultimate clean/secure function I have run into a few problems with

  • 0

Possible Duplicate:
The ultimate clean/secure function

I have run into a few problems with some of my coding, I have unwillingly uncovered a possible sql injection in my script and I can’t seem to resolve the issue, so I wondered if anyone from around here could help out with it.

Can I just say I am fine coding my scripts, its just I have absolutely no idea how database injections happen, how they work or how to prevent them, however it is quite clear my cleaning function does not work as intended.

Here is the offending chunk of code, when I add the following after id it will spit out a MySQL error, which I have read alot about that meaning my code is vulnerable.

&id=369';

So just adding a comma and a semi-colon breaks the MySQL query, that isn’t desired. Here is the code that handles the query and displays the data;

$id = $this->clean($_GET['id']);
#$id = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_STRING);
$pm_query = mysql_query("SELECT * FROM `staff_pm` WHERE `id` = '{$id}' AND `status` IN(0, 1)") or die(''.mysql_error());

So I have tried one of the integrated functions within PHP but that spits out the same sql error, this is my cleaning function which I was told beforehand was fine:

function clean( $str )
{
return mysql_real_escape_string( htmlspecialchars( trim( $str ) ) );
}

Just really wanted to know your opinions on the matter, it is a constant worry that my coding will be taken advantage of by a person who is looking for these types of vulnerabilities, and I really want to make sure it is up to scratch and learn some techniques to better protect it.

I have been told to convert to PDO, however it seems like a large job converting and I will wait until I come to re-creating the application before I do that, where I am going to go for a much more object-orientated approach.

The SQL error I receive is this:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘\’; AND status IN(0, 1)’ at line 1

Thank you for any help, I really do appreciate it.

Regards

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’d also recommend not using the obsolete mysql_* functions and instead use PDO.

    But to fix your existing code, use intval.

    $id = intval($_GET['id']);
    • 0