Reputation: 637
Is my code safe from SQL injection
This is my current code as it stands
$search=$_GET["Search"];
$search = addcslashes(mysql_real_escape_string($search), '%_');
THIS CODE WAS GENERATED BY DREAMWEAVER CS4 FROM HERE ON
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
}
mysql_select_db($database_Echos, $Echos);
SQL Satement that Querys the db
$query_Recordset1 = "SELECT catelogue.ARTIST, catelogue.TITLE, catelogue.`CAT NO.`, catelogue.FORMAT, catelogue.`IMAGE PATH` FROM catelogue WHERE catelogue.TITLE LIKE '%$search%'";
More Dremweaver code
$Recordset1 = mysql_query($query_Recordset1, $Echos) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);
After this the data gets displayed in a table format
I'm still new to this all and in recent days have found out that you can put staements into my search term and destroy 8 months of database work. It's not like the db isn't backed up but I'd like to rather be safe then sorry.
I have read that a prepared statement is the best way to stop this How can I prevent SQL injection in PHP?.
But as I said I'm new to this and have very little understanding of this.
So Simple put is my code that DW created safe enough
Are there things that should change to make it simpler
And if it's not safe enough how do I make it safer?
Do I use a prepared staement here? If so can someone please explain how to use it here
Please any help would be much appreciated
Upvotes: 1
Views: 974
Answers (1)
Reputation: 14081
Your code is suffering from a lot of bad practices, but it isn't totally insecure or totally bad as the usual pieces of PHP code I'm used to seeing.
To put it in simple terms - you don't want to use PHP's mysql_ functions. What you should do is use PDO.
mysql_real_escape_string is safe but not 100%. For better explanation refer to the link that explains when mysql_real_escape_string is vulnerable.
So what you would do is create prepared statements with PDO and then you bind the input values. PDO cleans them according to the character set and database being used, which makes it 100% safe and without worrying whether you missed out on something or not.
Upvotes: 6
Related Questions
- is my code vulnerable to SQL injection
- How vulnerable is my code to SQL injection?
- Is my PHP Code Secure
- Sql Injection: is this code safe?
- Is this code vulnerable to SQL injection attacks?
- Am I protecting my website enough from sql injection?
- I am worried about SQL Injections. Is this safe?
- Is this safe enough for SQL injection
- Is this part of the script is safe from sql injection?
- Am I safe from SQL-injections?