I have a php file at my site, and I connect to db, get some records and list them in same file.
mysql_connect("localhost", "blabla", "blabla") or die(mysql_error()); mysql_select_db("blabla") or die(mysql_error()); $blabla1 = mysql_query("SELECT * FROM gallery WHERE id_cat=1"); $blabla2 = mysql_query("SELECT * FROM gallery WHERE id_cat=2"); $blabla3 = mysql_query("SELECT * FROM gallery WHERE id_cat=3");
So, is there anything I need to do for security? Like sql-injection or anything else. there is nothing going to url. It is just
This snippet is perfectly safe, because there are no variables put into the query string.
To work safely in case you have to deal with variables one day – be they directly coming in from the user, or from another data source – you may want to switch over to a mySQL library that supports parametrized queries, like PDO. Those eliminate the danger of injections completely, because they take care of escaping the incoming data automatically.
If you stick with the
mysql_* functions, make sure you escape
all incoming any data using mysql_real_escape_string() and ensure they are inserted within a pair of single quotes.
As long as your queries don’t use parameters, SQL Injection is not a risk.
SQL Injection can only happen when the users (or other sources) can influence anything that is send to the database in SQL, for example searchwords
There are no security issues here. SQL injection might happen where you get input from the user and use it in your queries.
if gallery table contain some user input, then some XSS attack may be conducted. To prevent this, all untrusted user input must be prepared using
htmlspecialchars() function before printing to the browser.
This snippet is safe, as there is no user provided input in the queries.
if you have userinput, for example by getting the category that should be displayed from the URL or from POST you should use prepared statements. this may you are safe even with user input. This is much safer than pure escaping because the sql is parsed and then the parameters are inserted. This is better for performance and the userinput can’t change the structure of the sql query.
The only thing that you might want to consider, assuming that the connection code is in the web-accessible PHP script, is to either:
move the MySQL connection out of the
script and into a file outside of
the site’s document root
or, use externally-sourced variables
(i.e. from a different file outside
of the document root) for the
username and password in place of
hard-coded details in the script
That way if, for whatever reason the server displays the code instead of rendering the PHP, then the details will remain safe from view