SQL Injection: Fixing the example website

[JoshuaPosey03]

I have had a lot of trouble in trying to edit the PHP files on the website to prevent SQL injection. I have read up on all the best current practices to prevent SQL injection but every time I use one of these techniques I end up shutting down the login page. I've even gone so far as to add in whole lines of code that were produced by MySQL, these also shut the website down. Any ideas?

[bfinio]

Hi JoshuaPosey03 - can you explain what exactly you mean by "shutting down the login page"? If you paste in your code here using the "code" button in the editor we may be able to take a look.

[JoshuaPosey03]

I mean that when i edit the php file it stops letting all users in, even when they’re using their password. I’m not sure how to get the example website to let legitimate passwords in and not allow SQL injection queries to hack the accounts. The code line that shut down the website until I deleted it was

Code: Select all

mysql_real_escape_string (mysql $link , string $escapestr

[bfinio]

Hi Joshua - I asked someone with more of a background in SQL and he said "He is using the definition of the function. That is the function to use, but he is not doing it right." So it looks like you're at least on the right track, but you need to figure out how to properly implement that function.

[JoshuaPosey03]

So I've searched for multiple ways to implement the MySQL_real_escape_string, yet I still have not found a way to successfully implement this function into the php files on the example website. Any ideas on where I could find a website that would actually tell me how to implement this function?

[bfinio]

Joshaua - have you looked through all the resources in the project's bibliography? Do any of them mention it?

[JoshuaPosey03]

That’s the first thing I tried. The only one that even mentions what I’m looking for is the php tutorial which briefly mentions sql_real_escape_string, do you have any idea where I could look for a more thourough and clear explanation?

[bfinio]

Joshua - honestly my best advice at this point would be to Google that command along with "SQL injection" and see if you can find examples of how to use it. There are also other forums out there that are more programming-specific like stackexchange.com and stackoverflow.com where you might be able to get more help (be careful when posting in forums like that though, sometimes people get cranky with students if they think you're being lazy and asking for too much help - so make sure you explain what your background knowledge is and what you've already tried, don't just ask them to write the code for you).

Part of the challenge of this project is figuring out what to do - if we provided a direct link to a resource that gave you the exact code to use, that would make things too easy. You're on the right path though!