Tuesday, November 8, 2011

prevention of sql injection in php

Comments
To avoid the sql injection attack, please follow the following simple mechanisms in PHP 1) Always restrict the length of the fields of form such as don’t allow more than 20 characters in the fields like username and password with the “maxlength” property available in the html form. 2) Always validate for the proper input like weather the value is valid email or not, is numeric or not , valid date or not etc. 3) Finally, Always use mysql_real_escape_string() function before sending the variable to the SQL query, it ad. For example note you must be connected to the database for using this function

Code:$username=mysql_real_escape_string($_POST['username']); $password=mysql_real_escape_string($_POST['password']);

if a intruder inject ‘ OR 1 in the user name and password field then the value of the $username and $password will become \’ OR 1 which is not going to harm us anymore.



this might also help some one
.htaccess


Code:# Block out any script trying to set a mosConfig value through the URL RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] # Block out any script trying to base64_encode crap to send via URL RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] # Block out any script that includes a


Related Posts Plugin for WordPress, Blogger...