Newb needs help SQL Injection prevention
Hey Guys,
Complete Newbie here.. First I'm not even sure a Stored Proc or Function will do what I need to, which is avoid SQL injection attacks. I can't use the PHP excape function because the components I want to search the DB for are in fact special characters
/ " >, etc? I'm developing an App that looks up English phrases or punctuation an returns Braille symbols needed. I've been told and its been implied by what I've read that the act of passing a variable through to MySQL in a Stored Procedure will more or less prevent a SQL injection? If that's true I really need to figure out what I'm doing wrong with my syntax.
here's my SQL Querry in PHP (which works) so far; After establishing a connection
$ENG = "Put English Phrase or Punc Here";
mysql_select_db("ithelpex_test") or die(mysql_error());
$result = mysql_query("SELECT * FROM br_test WHERE ENG LIKE '$ENG' ");
Here's what my procedure looks like:
Delimiter //
CREATE PROCEDURE eng_lookup(
IN eng VARCHAR(30)
)
BEGIN
SELECT ithelpex_test FROM br_test WHERE ENG LIKE eng
END
//
Delimiter ;
I don't know what I'm gettn wrong; I know I got to make a variable going in but do I need to use the INTO function to get the result out? My debugger is a piece of junk and needless to say I'm havn trouble findn deceint turturials online.
Thanks Guys.
Subject
Views
Written By
Posted
Newb needs help SQL Injection prevention
2049
June 24, 2012 02:32PM
1083
June 24, 2012 04:05PM
1058
June 27, 2012 10:57PM
873
June 29, 2012 07:11AM
1019
June 30, 2012 11:56AM
Sorry, you can't reply to this topic. It has been closed.
Content reproduced on this site is the property of the respective copyright holders.
It is not reviewed in advance by Oracle and does not necessarily represent the opinion
of Oracle or any other party.