4 SQL injection methods every PHP programmer should be aware of.
February 2, 2009 1 commentThe Problem with all the codes is that the value is not sanitized before it will be sent as a query. All we need to make sure is that we are passing a secure data into the database. We can send secure data and prevent the data hacking by following the four prime SQL injection methods
Function mysql_real_escape_string() :
In PHP, we have a function to deal with strings in MYSQL. (Modified Content)
Function:
mysql_real_escape_string()
Above function seize the string that will be used in the MYSQL query and return the same string with all SQL Injection attempts that have securely escaped. Above functions will assist to replace each troublesome quotes in SQL Injection query with “backslash \”
Magic quotes will help to escape from risky form data that is used in SQL Injection. It will automatically include “backslash \” for each special characters in SQL Injection query submitted.
Function to check whether Magic quotes are enabled on server is
“get_magic_quotes_gpc function”
Example:
After adding magic quotes
The \ becomes \\
The ‘ becomes \’
The ” becomes \”
HTML Entities function translates all applicable characters to HTML Entities and returns the encoded string.
Function used to translate is,
string htmlentities ( string $string [, int $quote_style=ENT_COMPAT [, string $charset [, bool $double_encode=true ]]] )
Example:
<?php $str = “A ‘quote’ is bold“;
// Outputs: A ‘quote’ is <b>bold</b>
echo htmlentities($str);
Length Validation: Hamper all the input fields in the application to the absolute minimum (7 to 15 characters). This will help to block long queries input.
Input Validation: Validate the data entered in the input field. For eg. Age field should accept the only number and only 2 digits are allowed.
User Privileges: Create “Admin user” for each database and provide “create, drop and edit ” tables privileges only to the “admin user “
Related Posts
-
November 10, 2009Frameworks we like: 2. CakePHP and why?
Another set of developers liked CakePHP and they prefer to stay with this solid web app. CakePHP is one of the most well-known frameworks for PHP development. CakePHP considerably decreases development costs and also helps you as developers write very less code. This blog will walk you through the Cake framework and
4 series, Frameworks, Macronimous, PHP Programming, web programming0 comments -
May 19, 2009
Database Optimization Techniques to Increase SQL SERVER Performance – Part I – Increase SQL Server stored procedure performance
1) Increase SQL Server stored procedure performance with following three tips: Stored procedures play a vital role in enhancing the performance of the database. The following three tips will help us to maximize database performance when stored procedures are used. Use NOCOUNT: If NOCOUNT option is turned off, on each
