Basic SQL Injections?

Question

I was told in a previous question that my query is prone to SQL injections.

get_stats = mysql_query("SELECT * 
                               FROM visitors 
                              WHERE site='$_GET[site]' 
                                AND date BETWEEN '$start_date' AND '$end_date' ");

What would be the easiest way to approach this problem? And do you have some further reading on the subject of injections? (something that I might miss on Google). Thanks!

Answer 1

Use Prepared Statements.

In most cases, Prepared Statements do the job of combining your query with your parameters, in a safe manner.

Answer 2

$_GET['site'] is a value that comes straight from the URL in the browser which means a user could easily change this value to anything they want, you should check/sanitize that value, all values actually before sending it to a database.

Something like this would be a start, could still use more work and there is many ways of doing it, I would create a custom function/class to easily pass all variables through sitewide which can simply repetitive stuff like this

$site = mysql_real_escape_string($_GET['site']);
$start_date = mysql_real_escape_string($start_date);
$end_date = mysql_real_escape_string($end_date);

get_stats = mysql_query("SELECT * FROM visitors WHERE site='$site' AND date >= '$start_date' AND date <= '$end_date' ");

Answer 3

mysql_real_escape_string is the most basic and easiest form of security here.