Prevent SQL Injection Attack in PHP

MYsql injection takes place when a visitor to website enters values into a form.Tha is a form input by a visitor (Fill a form).

A Login form can be taken as an example.Someone can enter a query inside our query and can change the code.Therefore when we do programming like form inputs , we should be aware of this mysql injection attacks.And we should use some tricks to protect our sites against sql injection.

PHP has a way of avoiding sql injection attacks.That is mysql_real_escape_string()
We can use variable assined values with this rather using values directly…

Normally values can be assigned directly as follows..
$sql = “SELECT COUNT(*) FROM USER WHERE USERNAME = $this->userName”;

We can use the following query to avoid this issue…
$sql = sprintf(“SELECT COUNT(*) FROM USER WHERE USERNAME = ‘%s'”, mysql_escape_string($this->userName));

Published in: on October 27, 2009 at 8:14 am  Leave a Comment  

The URI to TrackBack this entry is:

RSS feed for comments on this post.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: