Home | About | Contact | Sitemap | Feed on Posts Comments

Macronimous web blog

Let's Get Social:

Twitter
Friendfeed
Technorati
Delicious
StumbleUpon
BlogCatalog
Feed Agg
MyBlogLog
reddit
digg

Subscribe to read

Get Macronimous Web Design, Development and Internet Marketing discussions delivered by email, Sign Up

Subscribe to read

Recent Tweets

PMP Book from PMCC is heavy - 2.3KGs (4.92 Pounds), Can't sleep when something heavy on the chest. :-)

Follow & Get Tweets

TwitterCounter for @macronimous

Popular Tags

CMS Concurrent versioning system Content Management solution CVS Internet Internet Marketing Internet Matketing iphone development Keywords Link Building Link Popularity Mobile development Mobile technology Opensource CMS PHP PHP Frameworks Search Engine Optimization SEO SEO Questions SEO tools SERP SMO web design Web development Web development Frameworks Web Marketing Website Popularity Web Testing Web tools wordpress


Sites we Like

Internet Blogs - BlogCatalog Blog Directory

Add Macronimous Blog to Technorati Favorites
Join Macronimous Blog Community at MyBloglog!
Wikipedia Affiliate Button

4 SQL injection methods every PHP programmer should be aware of.

February 2nd, 2009

Macronimous Posted in 4 series, Databases, PHP Programming, web programming | 1 Comment »


The Problem with all the codes is that the value is not sanitized before it will be sent as a query. All we need to make sure is that we passing the secure data into database. We can send secure data and prevent the data hacking by following the four prime SQL injection methods

Function mysql_real_escape_string() :

In php, we have a function to deal with strings in MYSQL. (Modified Content)

Function:
mysql_real_escape_string()

Above function seize the string that will be used in the MYSQL query and return the same string with all SQL Injection attempts securely escaped. Above functions will assist to replace each troublesome quotes in SQL Injection query with “backslash \”

Magic Quotes:

Magic quotes will helps to escape from risky form data that is used in SQL Injection. It will automatically include “backslash \” for each special characters in SQL Injection query submitted.

Function to check whether Magic quotes are enabled on server is
“get_magic_quotes_gpc function”

Example:
After adding magic quotes
The   \  becomes  \\
The   ‘  becomes  \’
The   “  becomes  \”

HTML Entities:

HTML Entities function translates all applicable characters to HTML Entities and returns the encoded string.

Function used to translate is,

string htmlentities ( string $string [, int $quote_style=ENT_COMPAT [, string $charset [, bool $double_encode=true ]]] )

Example: 

 <?php $str = “A ‘quote’ is <b>bold</b>”;

// Outputs: A ‘quote’ is &lt;b&gt;bold&lt;/b&gt;
echo htmlentities($str);

Validation:

Length Validation: Hamper of all the input fields in the application to the absolute minimum (7 to 15 characters). This will helps to block long queries input.
Input Validation: Validate the data entered in the input field. For eg. Age field should accept only number and only 2 digits are allowed.
User Privileges:  Create “Admin user” for each database and provide “create, drop and edit ” tables privileges only to the “admin user “

Liked the post? Feel free to Subscribe to this Feed

Related Posts

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.



Bookmark and Share

One Response to “4 SQL injection methods every PHP programmer should be aware of.”

  1. gery Says:
    February 13th, 2009 at 1:58 pm

    Great post.

Leave a Reply

«
»