SQL Injection Problem

Portal Home > Knowledgebase > Articles Database > SQL Injection Problem

Posted by nimasdj, 09-19-2007, 03:01 PM
Hello, I wrote a code like this: function fetch_database($fetch_info){ global $db_host, $db_user, $db_pass, $db_name, $results, $num; $link = mysql_connect($db_host, $db_user, $db_pass) or die ("Couldn't connect to the database!
". mysql_errno() . " : " . mysql_error().""); mysql_select_db($db_name, $link) or die ("Could not select database!
". mysql_errno() . " : " . mysql_error().""); $query = mysql_query($fetch_info, $link) or die ("Could'nt update the information.
". mysql_errno() . " : " . mysql_error().""); if (mysql_num_rows($query) > 0 ){ $num = mysql_num_rows($query); $results = array(); while ($row = mysql_fetch_assoc($query)) { $results[] = $row; } } mysql_close($link); return true; } This code gets $db_host, $db_user, $db_pass, $db_name variables from config.php file by globaling them. wherever in my code I could have: $fetch_info = "SELECT*FROM table"; fetch_database($fetch_info); by calling this function I can pass a query and get an associative array from results in $results array. then I can have for example $results[0][username] etc. the first dimention is row number. second dimention is coloumn name. as you can see this code is still vulnerable for SQL Injection attack. so I wrote this one where I want to pass a query to this function: $link = mysql_connect($db_host, $db_user, $db_pass) or die ("Couldn't connect to the database!
". mysql_errno() . " : " . mysql_error()); if(get_magic_quotes_gpc()) { $username = stripslashes($_POST['username']); } else { $username = $_POST['username']; } $fetch_info = sprintf("SELECT admin_id, admin_pswrd, permission FROM admin WHERE admin_user_name = '%s'", mysql_real_escape_string($username, $link)); fetch_database($fetch_info); it works fine but as you can see this code is not yet professionally written. Can anyone re-write this as a class or function in a very professional way, that I can pass any $_POST thing to it? we won't know what is the key and value of $_POST so I think first we should parse the array and run stripslasshes if gpc is on then re-make it as an awway to pass to the code, also we won't know how many $_POSTY thing we have that we would know how many real_escale_string is necessary there. so the only solution is coding it as a class rather than function, but I don't know OOP. can anyone help me re-conding it? I'll appreciate your time. Regards,
Posted by juangake, 09-26-2007, 06:03 AM
Not the exact solution you're looking for, but I wrote this MySQL connection class and find it useful on all my projects. Since your looking for learning some OOP perhaps this is a good start. http://prisonserver.co.uk/handleMYSQL.html Regards, Juan
Posted by nimasdj, 09-26-2007, 06:20 AM
Indeed I will give it a try, Thank you!