Portal Home > Knowledgebase > Articles Database > SQL Injection Problem
SQL Injection Problem
Posted by nimasdj, 09-19-2007, 03:01 PM |
Hello,
I wrote a code like this:
function fetch_database($fetch_info){
global $db_host, $db_user, $db_pass, $db_name, $results, $num;
$link = mysql_connect($db_host, $db_user, $db_pass) or die ("Couldn't connect to the database! ". mysql_errno() . " : " . mysql_error()."");
mysql_select_db($db_name, $link) or die ("Could not select database! ". mysql_errno() . " : " . mysql_error()."");
$query = mysql_query($fetch_info, $link) or die ("Could'nt update the information. ". mysql_errno() . " : " . mysql_error()."");
if (mysql_num_rows($query) > 0 ){
$num = mysql_num_rows($query);
$results = array();
while ($row = mysql_fetch_assoc($query)) {
$results[] = $row;
}
}
mysql_close($link);
return true;
}
This code gets $db_host, $db_user, $db_pass, $db_name variables from config.php file by globaling them.
wherever in my code I could have:
$fetch_info = "SELECT*FROM table";
fetch_database($fetch_info);
by calling this function I can pass a query and get an associative array from results in $results array. then I can have for example $results[0][username] etc. the first dimention is row number. second dimention is coloumn name.
as you can see this code is still vulnerable for SQL Injection attack.
so I wrote this one where I want to pass a query to this function:
$link = mysql_connect($db_host, $db_user, $db_pass) or die ("Couldn't connect to the database! ". mysql_errno() . " : " . mysql_error());
if(get_magic_quotes_gpc()) {
$username = stripslashes($_POST['username']);
} else {
$username = $_POST['username'];
}
$fetch_info = sprintf("SELECT admin_id, admin_pswrd, permission FROM admin WHERE admin_user_name = '%s'", mysql_real_escape_string($username, $link));
fetch_database($fetch_info);
it works fine but as you can see this code is not yet professionally written.
Can anyone re-write this as a class or function in a very professional way, that I can pass any $_POST thing to it? we won't know what is the key and value of $_POST so I think first we should parse the array and run stripslasshes if gpc is on then re-make it as an awway to pass to the code, also we won't know how many $_POSTY thing we have that we would know how many real_escale_string is necessary there.
so the only solution is coding it as a class rather than function, but I don't know OOP. can anyone help me re-conding it? I'll appreciate your time.
Regards,
|
Posted by juangake, 09-26-2007, 06:03 AM |
Not the exact solution you're looking for, but I wrote this MySQL connection class and find it useful on all my projects. Since your looking for learning some OOP perhaps this is a good start.
http://prisonserver.co.uk/handleMYSQL.html
Regards,
Juan
|
Posted by nimasdj, 09-26-2007, 06:20 AM |
Indeed I will give it a try,
Thank you!
|
Add to Favourites Print this Article
Also Read