tags:

views:

52

answers:

4
+1  Q: 

Create table query

I want to create a table for making a comment box. I was told that I should be wary of sql injection (dont even know what that means).

So I thought I should ask around at SO. my requirements are:

Comments table

  1. a comment row ~400 chars
  2. aid -> every comment should be linked to an aid. duplicates should be allowed. means aid = 21, can have more than 1 comment. I should be able to search through the DB to see all the comments related to aid = 21.
  3. timestamp for the comment
  4. userid for the comment.

A MySQL query for the above table that should not allow SQL injection. I am pretty confused. any help would be highly appreciated. thanks a lot in advance.

+1  A: 

Try and use stored procedures in mysql .

Use parameters to pass the input to the stored procedure.

John G  2009-12-27 20:06:48
A: 

thuis tutorial is for you . http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

streetparade  2009-12-27 20:08:01
+3  A: 

Creating a table usually happens only once, when the system is installed. There is, therefore, no risk of SQL injection (which happens when a query is run with data provided by the user).

The above description would probably be implemented as: 

CREATE TABLE `comment` ( 
  `comment_id` INTEGER NOT NULL AUTO_INCREMENT PRIMARY KEY,
  `comment_text` VARCHAR(400) NOT NULL,
  `aid_id` INTEGER NOT NULL REFERENCES `aid`(`aid_id`),
  `comment_time` DATETIME NOT NULL,
  `user_id` INTEGER NOT NULL REFERENCES `user`(`user_id`)
);
Victor Nicollet  2009-12-27 20:08:55
it is not printing the timestamp. ie, the current time. its printing 0000-0000....also the comment_text is not updating. its null.
amit  2009-12-27 20:19:59
It is generally good practice not to use SQL reserved words as identifiers (i.e. table or column names). Although the word "comment" is not in the SQL standard ( see http://www.contrib.andrew.cmu.edu/~shadow/sql/sql1992.txt ), it is a reserved word for DB2 ( see table 2 from http://publib.boulder.ibm.com/infocenter/db2e/v8r2/index.jsp?topic=/com.ibm.db2e.doc/db2eresword.html )
Glenn  2009-12-27 20:31:56
A table creation query is intended to create a table, not to print anything. You might want to ask a question related to your queries for reading the data.
Victor Nicollet  2009-12-29 16:05:52
A: 

SQL injection is explained at Wikipedia and other places.

Use mysql_real_escape_string() or stored procedures are standard techniques that will avoid SQL injection.

fsb  2009-12-27 20:11:59

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL