how do i make this piece of code safe from sql inject?
Thanks for answers:)Code:$get = mysql_query("SELECT * FROM users WHERE news='1'");
Printable View
how do i make this piece of code safe from sql inject?
Thanks for answers:)Code:$get = mysql_query("SELECT * FROM users WHERE news='1'");
You aren't inserting untrusted content into a query, therefore it is secure. What's the issue?Quote:
Originally Posted by xAdrianRonsten
LOL, dude your taking no input, no point.
thanks for helping me, those dudes on phpacademy told me it was unsafe but i dident found anything that shows that so therefor i asked here.
As long as you only take info and put it into a table or anything else it won't be injectable it will be when you start using input, update queries etc.
select can expose unnecessary data but will not be modified, you should select only those data from table or tables that you need specifically for processing so avoid asterisk (*). update, insert and other functions that modify, delete or add are the ones you need also to look into for protection.
You only have to use mysql_real_escape_string when you are inserting data into the database.
I don't really see a problem in the query, but check if the * doesn't send data from the table that should stay private.
Any time untrusted content is inserted into a query, it needs to be sterilized before hand, even for selects, especially for selects:
SELECT COUNT(*) FROM users WHERE username = $username AND passhash = $passhash
If the password gets hashed/encrypted before selecting from the DB you don't really have to escape that one, if its not encrypted... Encrypt your passwords!
As for usernames what jMerliN said you should escape it because else they could use a MySQL injection there.
Even though i encrypt the passwords i am inserting into a database, i always escape them. Its like a reflex ^^Quote:
Originally Posted by Gunblade