So we had someone mysql inject some stupid code. i wont go into details except it caused me a large headache over the weekend. I had some old code that didnt escape quotes, and guess what i paid for it with my blood. Anyways this is for everyones that at one point was lazy to proof some of there old code. i will post a simple function that will solves this problem.

Usually mysql injection is done by the user puting a end quote in the textbox the typing OR 1=1. So say someone type this in:

jason’ or 1=1

1
2

$variable = $_REQUEST['password'];
$query = "Select * from users where username = 'username' and password = '".$variable."'";

As you can the OR 1=1 being put in there would cause the statement to return users, thus letting someone into the system.

Heres a simple example how to prevent this. Although there are hundreds of ways you would do this.

1
2
3
4
5
6
7
8
9
10
11
12

 function prevent_injection ($data) {
                if (ini_get('magic_quotes_gpc')) {
                        $data = stripslashes($data);
                }
                if (function_exists('mysql_real_escape_string')) {
                        $data = mysql_real_escape_string (trim($data));
                }
                return $data;
}
 
$variable = $_REQUEST['password'];
$query = "Select * from users where username = 'username' and password = '".prevent_injection($variable)."'";

Author: Jason Rogers