4 SQL injection methods every PHP programmer should be aware of.

The Problem with all the codes is that the value is not sanitized before it will be sent as a query. All we need to make sure is that we are passing a secure data into the database. We can send secure data and prevent the data hacking by following the four prime SQL injection methods

Function mysql_real_escape_string() :

In PHP, we have a function to deal with strings in MYSQL. (Modified Content)

Function:
mysql_real_escape_string()

Above function seize the string that will be used in the MYSQL query and return the same string with all SQL Injection attempts that have securely escaped. Above functions will assist to replace each troublesome quotes in SQL Injection query with “backslash \”

Magic Quotes:

Magic quotes will help to escape from risky form data that is used in SQL Injection. It will automatically include “backslash \” for each special characters in SQL Injection query submitted.

Function to check whether Magic quotes are enabled on server is
“get_magic_quotes_gpc function”

Example:
After adding magic quotes
The   \  becomes  \\
The   ‘  becomes  \’
The   ”  becomes  \”

HTML Entities:

HTML Entities function translates all applicable characters to HTML Entities and returns the encoded string.

Function used to translate is,

string htmlentities ( string $string [, int $quote_style=ENT_COMPAT [, string $charset [, bool $double_encode=true ]]] )

Example:

 <?php $str = “A ‘quote’ is <b>bold</b>”;

// Outputs: A ‘quote’ is &lt;b&gt;bold&lt;/b&gt;
echo htmlentities($str);

Validation:

Length Validation: Hamper  all the input fields in the application to the absolute minimum (7 to 15 characters). This will help to block long queries input.
Input Validation: Validate the data entered in the input field. For eg. Age field should accept the only number and only 2 digits are allowed.
User Privileges:  Create “Admin user” for each database and provide “create, drop and edit ” tables privileges only to the “admin user “