SQL injection is a typical code injection attack that exploits weaknesses of application in the database layer. SQL injection vulnerability is created when one scripting or programming language is embedded in or used as input in another with failure to verify the legality or filter for potential dangerous codes.
SQL injections are possible when input from user is either incorrectly filtered for string literals embedded in SQL query statements or it’s not strongly typed thereby incurring unexpected execution.
The solution to this is to never trust user input data by default, especially those that will be used in a SQL statement. Check for data type and escape string literals before committing them into a query.
You should also read:
- PHP: Escape String Literals for SQL, mysqli::real_escape_string and PDO to Prevent SQL Injection Attacks
- MySQL, PHP: Store form textarea value or data to MySQL database table
- PHP: Allow Specific HTML Tags in Text Input Controls of HTML Forms, <textarea>, <input type=”text” />
- MySQL logic operators: How to use AND, OR together in WHERE clauses in one query?
- You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax …
Facebook
Twitter
Google Plus
{ 5 comments… read them below or add one }
alert(‘oh, no…’);
i.spank(you);
function makeEncode($sql)
{
$sql = preg_replace(sql_regcase(“/(from|select|insert|delete|where|drop table|like|show tables|\’|'\| |=|-|;|,|\|’||#|\*|–|\\\\)/”), “” ,$sql);
$sql = trim($sql);
$sql = strip_tags($sql);
$sql = (get_magic_quotes_gpc()) ? stripslashes($sql) : mysql_real_escape_string($sql);
$sql = htmlentities($sql);
return $sql;
}
What is this?
Write a function like that
function makeEncode($value)
{
$value = trim(htmlentities($value));
if(get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
else
{
$value = mysqli_real_escape_string($this->dbLink,$value);
}
return $value;
}
then use this when entering data into mysql database
{ 2 trackbacks }