|
|
Protecting MySQL Queries from SQL Injection - Mysql
|
Views : 630
|
|
Tagged in : Mysql
|
|
|
Report This Scrap as Inappropriate
We request you to choose the appropriate categroy and subcategory that suits your
objectionable concern about the scrap, So that our team can review and find out whether it violates our Guidelines or the
scrap is not suitable for all viewers.
|
SQL injection is a serious concern for programmers, as an experienced attacker can use this hacking technique to gain access to sensitive data.
In PHP the easiest way is to pass your data through the mysql_real_escape_string function. By escaping special characters on fields where the user can manipulate the database, you will avoid being vulnerable. Take a look below at the example of what to do and what not to do.
// This is a vulnerable query.
$query = "SELECT * FROM products WHERE name='$productname'";
mysql_query($query);
// This query is more secure
$query = sprintf("SELECT * FROM products WHERE name='%s'",
mysql_real_escape_string($productname));
mysql_query($query);
The most important part of protecting yourself is stopping users from being able to pass unaltered database manipulative special characters, like single quotes. |
|
By kalai, On - 2008-03-14 |
|
|
|
