Prevent SQL Injection Attack in PHP

MYsql injection takes place when a visitor to website enters values into a form.Tha is a form input by a visitor (Fill a form).

A Login form can be taken as an example.Someone can enter a query inside our query and can change the code.Therefore when we do programming like form inputs , we should be aware of this mysql injection attacks.And we should use some tricks to protect our sites against sql injection.

PHP has a way of avoiding sql injection attacks.That is mysql_real_escape_string()
We can use variable assined values with this rather using values directly…

Normally values can be assigned directly as follows..
$sql = “SELECT COUNT(*) FROM USER WHERE USERNAME = $this->userName”;

We can use the following query to avoid this issue…
$sql = sprintf(“SELECT COUNT(*) FROM USER WHERE USERNAME = ‘%s'”, mysql_escape_string($this->userName));

Advertisements
Published in: on October 27, 2009 at 8:14 am  Leave a Comment  

The URI to TrackBack this entry is: https://nimesha1984.wordpress.com/2009/10/27/prevent-sql-injection-attack-in-php/trackback/

RSS feed for comments on this post.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: