Reputation: 321
MySQL injection prevention not working?
I want to prevent the 1=1 using the mysql_real_escape_string but not sure if im doing it right because I can still perform 1=1. This is my code:
$memberId = mysql_real_escape_string($_GET["memberId"]);
$sql = "SELECT firstName, lastName, dateSent, message, messageId FROM member, message WHERE member.memberId = message.sentFromId AND message.inboxId=" . $memberId . " ORDER BY dateSent DESC;";
Thanks
Upvotes: 2
Views: 146
Answers (2)
Reputation: 34587
The only correct way to not have SQL injections is using prepared statements.
If you attempt to mitigate using escaping you will fail.
If you as a rule never concatenate your queries and always use prepared statements, you have a chance.
It also has the advantage of making your code more readable.
And has no disadvantages.
Upvotes: 3
Reputation: 360762
mysql_real_escape_STRING() is for STRINGS, not integers. There's nothing in 1=1 that requires escaping, so m_r_e_s() will pass it back unchanged.
if you're dealing with integers, then use integer tools:
$memberID = intval($_GET['memberId']);
Upvotes: 6
Related Questions
- How can I prevent SQL injection in PHP?
- How do I prevent sql injection with php and mysql
- Preventing SQL injection insert into
- MySQL Injection prevention
- PHP mysql injection protection
- need help to prevent sql injection
- SQL Injection Protection
- PHP and MySQL Injection Prevention
- Preventing SQL injection using ONLY php
- Is this line of PHP good enough to prevent MySQL injection?