How to prevent sql injection when using php and mysql

What is sql injection?
SQL injection is when sql statement that a programmer designed is hijacked to do other potentially bad things. Here is an example
$query = "select true from users where user='".$_POST['user']."'";

Why is this bad? (Hint what if a person submitted the following in the form field)
$_POST['user']="whatever;select true";

How can I prevent against sql injection?
there are a few ways:
use mysqli
use stored procedures and limit permissions for the account being used
use regular expressions

mysqli is a newer extension for accessing mysql in php. It is designed to be more secure than the previous mysql extension. The main point we are interested in for this post is the prepare and bind_param methods. As a good example is already available on the php site we will not show it here.

first we want to limit the permissions an account has to only being allowed to execute stored procedures. If the mysql stored procedure is done safely similar to how the mysqli extension handles it then we do not need to worry about sql injection.

regular expressions can be used to filter out items that we want to guard against. A common approach is to guard against the ';' as it is used to separate mysql commands. But event this does not protect against everything. The regular expression method is generally not favored as much as it is more difficult and error prone.

This post is brief but I intended to get add more to it later.

Dynamically Load Assemblies in C# framework 3.5

Here are two simple examples of how to dynamically load assemblies in framework 3.5 using c#

This first file will be our assembly that we wish to load

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;

namespace plugin
{
public class plugin
{
    private string _message;
    public plugin()
    {
        _message =  "I am just a plugin";
        Console.WriteLine(_message);
    }
}
public class pluginAdvanced{

    public pluginAdvanced(string message, int times)
    {
        string[] array = new string[times];
            for (int i = 0; i < times; i++)
            {
                Console.WriteLine(message);
            }

        }
    }
}

Then the exe that loads the file

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Reflection; //<--------very important line

namespace ConsoleApplication1
{
    class Program
    {
        static void Main(string[] args)
        {
            // this first example just instantiates a class with no input parameters
            Assembly dynamic = System.Reflection.Assembly.LoadFrom("./ClassLibrary1.dll"); // specify path to dll
            object holder = Activator.CreateInstance(dynamic.GetType("plugin.plugin"));

             // this second method instantiates a class that takes parameters
            dynamic = System.Reflection.Assembly.LoadFrom("./ClassLibrary1.dll");
            object[] passin = new object[2] { "I need to be heard", 2 };
            holder = Activator.CreateInstance(dynamic.GetType("plugin.pluginAdvanced"),passin);        

        }
    }
}


// good luck : )

Free Icons

I was working on a project when I came across this really nice list of sites that offer free icons. The first one is really good.