199
I developed a PHP page for internal use of the company I work with and only very few people use it. Through this page it is possible to make some queries, insertions, changes and removals of data from a table in a Mysql database, however I believe that my code in PHP is not protected against SQL code injection, for example:
//----CONSULTA SQL----//
$busca = mysql_query ('insert into Produtos (coluna) values(' . $valor . ')');
So let’s say the user uses the sentence: 1); DROP TABLE Produtos;
out in the field valor
the command would be:
insert into Produtos (coluna) values(1); DROP TABLE Produtos;
It will insert a new record whose field coluna
will be 1
and soon after it will delete the table Produtos
.
How can I improve my code to prevent this situation?
There are many ways to prevent SQL Injection. I recommend the following reading: http://bobby-tables.com/
– urb
The mounted query I believe would be $search = mysql_query ('Insert into Products' (column) values('1); DROP TABLE Products;')', perhaps not accepted in the bank, but always do the processing of the data received by the user before interacting with the database....
– Dunga Cardoso