BetterPHP

I saw the tutorial on SQL injection, but I really don't understand it. I understand that it's a security risk and somebody could get access to your database but I don't understand the method of it. I tried to break into my login script using injection but it didn't work even though I'm not using the mysql_real_escape_string function.

So could somebody make it a bit more clearer for me? Thanks!

You may have magic_quotes turned on, that is a feature of PHP that automatically applies the addslashes() function to any user input. It's something you should turn off really if you can as it is not as safe as mysql_real_escape_string.

Perhaps the code was not protecting you, and your break-in attempts were just futile

A more likely solution is as Jacek said, magic quotes. A way to get around having to turn this off (if for instance, you do not have access to PHP settings on your server [switch hosts] or are programming for someone else and you have no idea of where they will be hosting), is to define a function like:

//MySQL real escape strings with magic quotes check
function mres($string){
	if(get_magic_quotes_gpc()){
		$string = stripslashes($string);
	}
	return mysql_real_escape_string($string);
}

This way instead of calling "mysql_real_escape_string" you call mres (which is a lot nicer to type.)

The other thing worth noting is that mysql_real_escape_string will not protect all inputs. If, for instance, it is an integer field, you are required to cast to an integer (int), or similar methods of security. There is no universal way to protect your site inputs.

Thanks for the tips. I'll try them and see what happens.

It may also be like the same way I use my login script. I just select the username, not the password in the query. Then select information, but I don't directly use the password in the query, if it makes sense >.> So if they try to use the OR 0=0 or whatever you use to inject it, the number of rows will return back 0 anyway.

/E There are still other things they can do though, so it's still always best to use the mysql_real_escape_string anyway.

just because Alex said that doing it that way makes SQL injection impossible does not make it true !