phpeveryday.com

The best tutorial of php, php framework, php strategies, object oriented oriented,


Security: How to protect your MySQL query from SQL injection

Tag: security, mysql, sql injection   Category: Mysql, PHP Basic
post: 13 Nov 2007 read: 1,163


SQL injection is one thing that get concern by PHP programmer. Target SQL injection is sensitive part in web application, database. An experienced attacker can use this hacking technique to access sensitive data. It use strings contain query that will be executed by database. It may be can display, modify, or delete your data.

The easiest way to escape from this attack is using mysql_real_escape_string(). By escaping special characters on fields where the user can manipulate the database, you will avoid being vulnerable.

The following code is unsecure example:


$query = "SELECT * FROM students WHERE name='$name'";
mysql_query($query);

I think following code more secure:


$query = sprintf("SELECT * FROM students WHERE name='%s'",
mysql_real_escape_string($name));
mysql_query($query);



| Give Your Opinion | Recommend
Share and Bookmark to: These icons link to social bookmarking sites where readers can share and discover new web pages.
digg del.icio.us technorati Ma.gnolia BlinkList

Recommended articles by other readers:
Web Services: How PHP Kiss VB.NET? (Part 1)
Chart: How to Build Cool Animation Real Time Chart
Joomla: Fast Road to Understand Component Programming
Email: Send Attachement Mail
mod_rewrite - Part 1: create your "fantasy" URL

What do You Think?
Your Name *:
Email *:
(Will not be published)
Website/URL:
Your Comment *:
* Required


615
posting