We had published after long time back article about SQL injection. First of all explain what is sql injection.To avoid the unwanted peoples are access your database without your knowledge i.e hacking.When the system (website) to ask the input from users in that time we won’t directly pass the input to the database we must validate the inputs.

Following things are to prevent the user input :

If you got the input from users, you have to validate using regular expressions for example.

if (preg_match('/^[a-z0-9]{6,10}$/', $user_name))

Username must satisfy following things

  • Numbers from 0 – 9
  • No capital letters
  • no special symbols at all
  • min of 6 characters
  • max of 10 characters

Second one some experts try to get your users information. In that time we have to use mysql_real_escap_string see below example

$name = "' OR 1'";

$name = mysql_real_escape_string($name);

$query = "SELECT * FROM customers WHERE username = '$name'";
echo "Escaped Bad Injection: <br />" . $query . "<br />";

If you are not use that function the query returns all the customers details from table.

Final point is most important one

$name = "'; DELETE FROM users WHERE 1 or username = '";
$query = "SELECT * FROM users WHERE username = '$name'";

Some bad users gave input like above example in that case we use mysql_real_escap_string to avoid it. If you won’t use this think about above example the table will be lost. whenever you write coding try to implement these things this will help to you.

Share Your Thoughts

Inline Feedbacks
View all comments
Subscribe Our Channel

Email Subscription
Watch Tutorials
Copyright © 2015 - 2021 PHPEXPERTISE.COM