Apache Friends Support Forum

[logan]

Well hello all the other english speaking people!

I have a question about implementing stored procedures via php. It is for security reasons, to try and prevent sql-injection from "breaking" my data.

I was wondering if anyone knew of ways to implement stored procedures, in a way to simulate it, other than relying on the MySQL to do it? (hope i am explaining it correctly). The people i host with are not being very helpfull in this area, so now i teach myself!

VIVA LA REVOLUTION!!

Any help will be appreciated or even if you can push me in the right direction to move to!

Thank you, in Advance
Logan

[alucard01]

Hi.

I prefer to using PHP rather than MySQL to prevent SQL injection.

You can go to www.php.net and search for a function called:

mysql_real_escape_string

and look at a function called quote_smart. You may get some help in there.

Hope it helps.

[logan]

Thank you for the input!

I do use the mysql_real escape string. But i have given a few friends of mine the chance to see if they can get past my "newbie" security and they did (they like breaking into code). But i would like some more security.

Other things i do is to use md5 to hash passwords, replace some set characters like : and <> etc with white spaces. Also i run the input through a "sanitize" function of my own making and check the sanitized input to a copy of the original, if any changes has been made then i output a "nicely worded error" - not giving away too much information.

I am not sure if the above is a waste of time or secure in a way?

I dont want to use MySQL to implement stored procedures, would rather simulate it using php!

I will take a look at this quote_smart function of yours!

Thank you again,
Logan