SQL security to prevent attacks
In PHP if some variables are taken from query string and used inside one mysql query then the variables are to be sanitized ( checked ) first before using.
Allowing only numeric data
When we don't expect any thing other than a numeric value then why not to check the variable by using is_numeric PHP function and terminate the program if data is not a number. Here is a sample code for this.$cat_id=$_GET['cat_id'];
if(!is_numeric($cat_id)){
echo "Data Error";
exit;
}Allowing array of numeric numbers or integers
We may use an array like [5,7,4,1] which consist of numbers only. Here we will not allow other than numbers. So something like [5,7,4,a,1] is not allowed. We used split command to create an array from a string then checked each element by looping and displaying each element. If any element is not integer than we will exit the script saying data error.$cat_id="2,3,a"; // For testing this page only.
$mn=split(",",$cat_id); // creating array
while (list ($key, $val) = each ($mn)) {
//echo "$key -> $val <br>"; // display elements if you want
if(!is_numeric($val)){ // checking each element
echo "Data Error ";
exit;
}
}Check only if it is available
If we are not sure the variable $start is available or not then we can use this to check 'if it is available then it must be a number'. $start=$_GET['start'];
if(strlen($start) > 0 and !is_numeric($start)){
echo "Data Error";
exit;
}Allowing only alphanumeric characters
If we expect only alphanumeric characters then we can use ctype_alnum function.if(!ctype_alnum($var)){
echo "Data Error";
exit;
}Allow only Chars Numbers and space
if(!preg_match('/^[a-z0-9\s]+$/i', $t1)){
echo "Data Error ";
exit;
}if(!preg_match('/^[a-z0-9\s.\- \_]+$/i', $t1)){
echo "Data Error ";
exit;
}Remove quotes or escape from query
Hackers can inject additional queries by using UNION command to an existing query, particularly when we are getting user submitted data like login id and password in our sql statement. To avoid this we can sanitize the variables before using them inside our query. Here is one example how to check userid before using.$userid=mysql_real_escape_string($userid);Installation of Database Tables & records of a Database Managing MySQL SELECT Query
Subhendu Mohapatra
Author
🎥 Join me live on YouTubePassionate about coding and teaching, I publish practical tutorials on PHP, Python, JavaScript, SQL, and web development. My goal is to make learning simple, engaging, and project‑oriented with real examples and source code.
Subscribe to our YouTube Channel here
This article is written by plus2net.com team.
https://www.plus2net.com
| lija | 14-07-2009 |
| its very use full | |
| pdemmy | 24-08-2009 |
| the resources here are useful...thanhs | |
| DEE | 02-03-2010 |
| Well its really gud.......but it should b more comprehensive. | |
| Ali Mohamed Omar | 22-05-2010 |
| the resources here are useful...thanhs | |
| John | 09-05-2012 |
| thank you - this will help | |
| Rayon | 04-05-2013 |
| Nice one.. | |
| Sanju | 09-10-2014 |
| its very use full thanks for posting....... | |
| vveer | 16-10-2014 |
| Thanks for the info. Very useful | |
SQL Video Tutorials