How to secure scripts and pages

Wolf Blade · May 5th, 2008, 01:06

Hey all,

I just found out that PHP scripts/pages can be manipulated from things like forms when people post information to a server. Also SQL injections seem to be an issue that I didn't know about.
My problem is that I have very little knowledge of PHP and MySQL so being told that they could be a security risk is a little worrying as I don't know what to do to make them secure. I'm yet to add a form or guest book to my site so its not a problem to me yet but I am planning on adding one.

If anyone knows of any tutorials for noobs like me or if anyone can tell me how to secure forms, databases, guest books etc, I would really appreciate it.

Thanking you all in advance as I know you code wizards will have the answers

Wolf

CloudedVision · May 5th, 2008, 01:39

Just make sure they can't close the quotes in a query. Let's say your query is this:

PHP: Select all


$query = "SELECT * FROM `mytable` WHERE `blah`='".$_GET['blee']."'";

If the hacker does something like "hello'yo" for the blee text field, they've just closed out of the quotes, and can run wild. So be sure to replace all the "'" with "\'", and you should be fine.

Wolf Blade · May 5th, 2008, 01:45

Thanks for the reply mate,
I'm not exactly sure what that code is that you typed but I do understand your meaning (I think)
Basically, if hackers can close the quotes, they can alter the code and get information from the database or get access to information?

So by escaping the ' with a slash \' it stops them getting access?
Like I said, I'm a green as a leaf noob with PHP nd most scripting languages lol

Thanks again CV, this is the second time you helped me out :P

CloudedVision · May 5th, 2008, 01:51

Quote:

Originally Posted by Wolf Blade

So by escaping the ' with a slash \' it stops them getting access?

Ya, in nearly all programming languages putting a backslash before a single quote or double quote stops it from closing the quotes. eg: 'Isn\'t this awesome?'

But its not necessary to backslash next to a single quote in a string enveloped by double quotes or vice versa.

Wolf Blade · May 5th, 2008, 01:58

Great!
Thank you again CV, I think I should title future posts "CV, Help!" lol

awatson · May 8th, 2008, 20:28

There's also often built-in ways to escape that stuff, for example PHP has mysql_real_escape_string:

http://us3.php.net/mysql_real_escape_string

CloudedVision · May 8th, 2008, 22:25

thanks awatson. that'll come in handy! it'll save me a lot of time also.

Wolf Blade · May 9th, 2008, 19:43

Hey,
Thanks for that awatson, I'll be using that soon enough

bonnit · May 10th, 2008, 16:03

sorry to butt in but found this very interesting, for a newbie, if i were to just do a search for "'" in dreamweaver and replace all with "\" would that work or is it only in certain areas you can do this?