So I'm designing a cms for someone and I want to make sure it's secure, I've used stripslashes, etc when having user input.. I even have my $_GET commands stripslashed and everything but what else can I do to stop SQL injection? Where can I learn more about how it works... so far what I've gotten from most of the sites I've seen are that if you go to a login page and put in "USERNAME'#" it'll comment out the password part and let you login regardless of the password if it is unsecure. But I tried this on a few of my sites and (without any protection) couldn't get it so I dont think I understand this properly.

Joy. My favorite subject. However, in order to help you out, it would be great to see some codes of what you did in order to make the corrections. It's much faster this way. ;)

This article (http://www.unixwiz.net/techtips/sql-injection.html) should give you some more info.

Also, it's not stripslashes() you should use on user input, it's addslashes(). You use stripslashes when getting the data from db.

Ah, I'll post some of my coding later tonight but if you're going to fix it you'll need to explain specifically what you did and why you did it and to prevent people from doing X (This way I'll know how to counter something someone is doing)

if you're going to fix it you'll need to explain specifically what you did and why you did it and to prevent people from doing X


This is what this forum is all about. ;)

The safest way is to use placeholders, they're alot more secure then trying to figure out every way of escaping input, and if you must do it yourself, instead of blacklisting to get rid of bad things, use a whitelist to only allow what you specify.