The Problem with all the codes is that the value is not sanitized before it will be sent as a query. All we need to make sure is that we are passing a secure data into the database. We can send secure data and prevent the data hacking by following the four prime SQL injection methods
Function mysql_real_escape_string() :
Above function seize the string that will be used in the MYSQL query and return the same string with all SQL Injection attempts that have securely escaped. Above functions will assist to replace each troublesome quotes in SQL Injection query with “backslash \”
Magic quotes will help to escape from risky form data that is used in SQL Injection. It will automatically include “backslash \” for each special characters in SQL Injection query submitted.
Function to check whether Magic quotes are enabled on server is
After adding magic quotes
The \ becomes \\
The ‘ becomes \’
The ” becomes \”
HTML Entities function translates all applicable characters to HTML Entities and returns the encoded string.
Function used to translate is,
string htmlentities ( string $string [, int $quote_style=ENT_COMPAT [, string $charset [, bool $double_encode=true ]]] )
<?php $str = “A ‘quote’ is bold“;
// Outputs: A ‘quote’ is <b>bold</b>
Length Validation: Hamper all the input fields in the application to the absolute minimum (7 to 15 characters). This will help to block long queries input.
Input Validation: Validate the data entered in the input field. For eg. Age field should accept the only number and only 2 digits are allowed.
User Privileges: Create “Admin user” for each database and provide “create, drop and edit ” tables privileges only to the “admin user “