| | |
SQL security to prevent attacks
| Here are some sample codes to be used on different situations to prevent hacking. SQL vulnerability issues are not discussed here but we will be adding them shortly.
In PHP if some variables are taken from query string and used inside one mysql query then the variables are to be sanitized ( checked ) first before using.
When we don't expect any thing other than a numeric value then why not to check the variable by using is_numeric PHP function and terminate the program if data is not a number. Here is a sample code for this.
$cat_id=$_GET['cat_id'];
if(!is_numeric($cat_id)){
echo "Data Error";
exit;
}
If we are not sure the varialble $start is available or not then we can use this to check 'if it is available then it must be a number'.
$start=$_GET['start'];
if(strlen($start) > 0 and !is_numeric($start)){
echo "Data Error";
exit;
}
If we expect only alphanumeric characters then we can use ctype_alnum function.
if(!ctype_alnum($var)){
echo "Data Error";
exit;
}
Remove quotes or escape from query
Hackers can inject additional queries by using UNION command to an existing query, particularly when we are getting user submitted data like login id and password in our sql statement. To avoid this we can sanitize the variables before using them inside our query. Here is one example how to check userid before using.
$userid=mysql_real_escape_string($userid);
| lija | 14-07-2009 |
|---|
| its very use full | | pdemmy | 24-08-2009 |
|---|
| the resources here are useful...thanhs | | DEE | 02-03-2010 |
|---|
| Well its really gud.......but it should b more comprehensive. | | Ali Mohamed Omar | 22-05-2010 |
|---|
| the resources here are useful...thanhs | | John | 09-05-2012 |
|---|
| thank you - this will help | | Rayon | 04-05-2013 |
|---|
| Nice one.. |
|
|
|
|
|
|
