Hi, how can I protect my php web forms from mySQL injection? How can I make it hacker safe? Thanks in advance.
mysql_real_escape_string and ofcource you need to validate your inputs (try searching google for mysql injection prevention or something) and you'll find alot of resources!
Yep. Let nothing go from the user to the database without your code positively affirming that it follows the expected format.
If you are sending an integer in the query, make sure it is really an integer by processing it through intval() before it gets anywhere near the database. If you are sending a string, make sure it only contains the characters that are appropriate for your context. And so on.
I Give You Some Examples To Help You Let's Say That You Have getdata.php Which Takes POSTs From Another URLs You Have The Variable: $data = $_POST['data']; // gets the value that was posted from the field 'data' PHP: If You Are Already Connected To mySQL (User => Database) Then Use: $data = mysql_real_escape_string($_POST['data']); // this secures your value of 'data' by removing some forbidden characters & other stuff ...QUERY HERE... PHP: Also, If You Are Not Connected To The Database (And You Connect Only After Storing The Variable Value) Then Use: $data = htmlentities($_POST['data']); // this is not so secure like _real_escape_string but it does his job ...QUERY HERE... PHP:
yes but the most of the sites don't have it unless you have code's like: $IncludedFileName = $_GET['page']; if($IncludedFileName != NULL){ include($IncludedFileName.php); } PHP: This Is For Local File Inclusion Anyhow, Watch Out How You Code Your Website!
mysql_real_escape_string($_REQUEST); i don't think that it will work. you need the field name too... like mysql_real_escape_string($_REQUEST['data']); ( in case of POST ) ... in case of GET you put the GET data
Use mysql_real_escape_string when you insert a value into database. Before that, verify the variables. EG: if the value should be a number, make sure it is. - ads2help