Create table query

Question

I want to create a table for making a comment box. I was told that I should be wary of sql injection (dont even know what that means).

So I thought I should ask around at SO. my requirements are:

Comments table

1. a comment row ~400 chars
2. aid -> every comment should be linked to an aid. duplicates should be allowed. means aid = 21, can have more than 1 comment. I should be able to search through the DB to see all the comments related to aid = 21.
3. timestamp for the comment
4. userid for the comment.

A MySQL query for the above table that should not allow SQL injection. I am pretty confused. any help would be highly appreciated. thanks a lot in advance.

Answer 1

SQL injection is explained at Wikipedia and other places.

Use mysql_real_escape_string() or stored procedures are standard techniques that will avoid SQL injection.

Answer 2

Creating a table usually happens only once, when the system is installed. There is, therefore, no risk of SQL injection (which happens when a query is run with data provided by the user).

The above description would probably be implemented as:

CREATE TABLE `comment` ( 
  `comment_id` INTEGER NOT NULL AUTO_INCREMENT PRIMARY KEY,
  `comment_text` VARCHAR(400) NOT NULL,
  `aid_id` INTEGER NOT NULL REFERENCES `aid`(`aid_id`),
  `comment_time` DATETIME NOT NULL,
  `user_id` INTEGER NOT NULL REFERENCES `user`(`user_id`)
);

Answer 3

thuis tutorial is for you . http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

Answer 4

Try and use stored procedures in mysql .

Use parameters to pass the input to the stored procedure.