SQL security to prevent attacks

Here are some sample codes to be used on different situations to prevent hacking. SQL vulnerability issues are not discussed here but we will be adding them shortly.

In PHP if some variables are taken from query string and used inside one mysql query then the variables are to be sanitized ( checked ) first before using.

Allowing only numeric data

When we don't expect any thing other than a numeric value then why not to check the variable by using is_numeric PHP function and terminate the program if data is not a number. Here is a sample code for this.

$cat_id=$_GET['cat_id'];
if(!is_numeric($cat_id)){
echo "Data Error";
exit; }

Allowing array of numeric numbers or integers

We may use an array like [5,7,4,1] which consist of numbers only. Here we will not allow other than numbers. So something like [5,7,4,a,1] is not allowed. We used split command to create an array from a string then checked each element by looping and displaying each element. If any element is not integer than we will exit the script saying data error.
$cat_id="2,3,a"; // For testing this page only. 
$mn=split(",",$cat_id); // creating array
while (list ($key, $val) = each ($mn)) {
//echo "$key -> $val <br>"; // display elements if you want
if(!is_numeric($val)){ // checking each element
echo "Data Error ";
exit;
}
}

Check only if it is available

If we are not sure the varialble $start is available or not then we can use this to check 'if it is available then it must be a number'.
 $start=$_GET['start'];
if(strlen($start) > 0 and !is_numeric($start)){
echo "Data Error";
exit;
}

Allowing only alphanumeric characters

If we expect only alphanumeric characters then we can use ctype_alnum function.
if(!ctype_alnum($var)){
echo "Data Error";
exit; }

Allow only Chars Numbers and space

if(!preg_match('/^[a-z0-9\s]+$/i', $t1)){
echo "Data Error ";
exit;
}
We can change above code to allow dashr dot or under score( - or . _ )
if(!preg_match('/^[a-z0-9\s.\- \_]+$/i', $t1)){
echo "Data Error ";
exit;
}

Remove quotes or escape from query

Hackers can inject additional queries by using UNION command to an existing query, particularly when we are getting user submitted data like login id and password in our sql statement. To avoid this we can sanitize the variables before using them inside our query. Here is one example how to check userid before using.
$userid=mysql_real_escape_string($userid);


Subscribe

* indicates required
Subscribe to plus2net

    plus2net.com



    lija

    14-07-2009

    its very use full
    pdemmy

    24-08-2009

    the resources here are useful...thanhs
    DEE

    02-03-2010

    Well its really gud.......but it should b more comprehensive.
    Ali Mohamed Omar

    22-05-2010

    the resources here are useful...thanhs
    John

    09-05-2012

    thank you - this will help
    Rayon

    04-05-2013

    Nice one..
    Sanju

    09-10-2014

    its very use full thanks for posting.......
    vveer

    16-10-2014

    Thanks for the info. Very useful

    Post your comments , suggestion , error , requirements etc here .





    SQL Video Tutorials










    We use cookies to improve your browsing experience. . Learn more
    HTML MySQL PHP JavaScript ASP Photoshop Articles FORUM . Contact us
    ©2000-2021 plus2net.com All rights reserved worldwide Privacy Policy Disclaimer