To avoid the sql injection attack, please follow the following simple
mechanisms in PHP
1) Always restrict the length of the fields of form such as don’t allow
more than 20 characters in the fields like username and password with
the “maxlength” property available in the html form.
2) Always validate for the proper input like weather the value is valid
email or not, is numeric or not , valid date or not etc.
3) Finally, Always use mysql_real_escape_string() function before
sending the variable to the SQL query, it ad. For example
note you must be connected to the database for using this function
Code:$username=mysql_real_escape_string($_POST['username']); $password=mysql_real_escape_string($_POST['password']);
if a intruder inject ‘ OR 1 in the user name and password field then the value of the $username and $password will become \’ OR 1 which is not going to harm us anymore.
this might also help some one
.htaccess
Code:# Block out any script trying to set a mosConfig value through the URL RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] # Block out any script trying to base64_encode crap to send via URL RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] # Block out any script that includes a
Code:$username=mysql_real_escape_string($_POST['username']); $password=mysql_real_escape_string($_POST['password']);
if a intruder inject ‘ OR 1 in the user name and password field then the value of the $username and $password will become \’ OR 1 which is not going to harm us anymore.
this might also help some one
.htaccess
Code:# Block out any script trying to set a mosConfig value through the URL RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] # Block out any script trying to base64_encode crap to send via URL RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] # Block out any script that includes a