PHP MySQL Improved Install


#1

I was wondering if anybody knew about MySQL Improved for PHP. I am doing some form and database work. One of my buddies showed me how he could do some SQL injection on my site. He told me I need to learn how to use prepared statements. For PHP, you need to install the MySQLi extension. I was wondering if I can shoot a note to support to do it or what. Thanks.


#2

DreamHost’s PHP5 installs (my domains use either PHP5.23 or 5.22) has the MySQLi extension installed.

SQL injection is always a risk if coding practices to prevent it are not implemented; MySQLi can help but it alone will not prevent this exposure.

–rlparker


#3

Thanks, I didn’t know nor knew how to tell if it had it. I know you can’t just use mysqli and expect to be secure.


#4

Hello rguy84,

There is many ways to avoid SQL injection. What I can advise you from my little experience on sql, is to review your code and make sure to you verify the query variable before sending the process to the database.

if you have $_GET[‘username’]:

if (preg_match("/^\w{8,20}$/", $_GET[‘username’], $matches))
$result = mysql_query(“SELECT * FROM users WHERE username=$matches[0]”);
else // we don’t bother querying the database
echo “username not accepted”;

I can advise you this article: http://www.devarticles.com/c/a/MySQL/SQL_Injection_Attacks_Are_You_Safe/
and this one is really interesting (you’ll find the above quote there explained in details):
http://en.wikibooks.org/wiki/Programming:PHP:SQL_Injection

Hope this help,

Get $55 discount: use this code DHDISCOUNT55 when you sign up with Dreamhost for one year.


#5

Hello MKhad,

I am not sure what the first line of that code is, (I am guessng it checks to make sue the username is between 8 and 20 chars long using regular expressions), but my buddy gave me the following: http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html