I'm searching for the a rule to prevent the SQL Injection from URL in PHP languange. Mine URL is filter with: function filter($url){ $strurl=nl2br($ulr); $strurl=htmlspecialchars($strurl); return $strurl; } Can you show you best rule to here?
To prevent sql injection, you can consider: 1. mysql_real_escape_string for string input. 2. preg_match or equivalent function for number input and other. 3. Set up user with barely enough privilege. 4. To enhance security to maxima, strip or don't allow potentially dangerous words in input like AND, OR, DELETE, DROP, ALTER, INSERT,... (kind a strict) That's all I can think of right now .
On #4 when it comes to SQL injection you might not pick up on something like A/**/ND which is basically AND but had an ignored comment embedded, yet mysql still treats it as AND. But escaping is a good method for prevention, however numeric values are targeted more often because you don't have to worry bout the closing quote. However the best method in combination with the rest is turning off any error output to the screen and strictly only have errors into a log file. This way the attackers can't 'feel' your database by purposely feeding it bad data in hope of getting a SQL error to the screen so they can see partial structure of your query to mess with.