Wednesday, July 14, 2010

Prevention from Sql Injection Attack in PHP

To avoid the sql injection attack, please follow the following simple 
mechanisms in PHP
 

1) Always restrict the length of the fields of form such as don’t allow 
more than 20 characters in the fields like username and password with 
the “maxlength” property available in the html form.
 

2) Always validate for the proper input like weather the value is valid 
email or not, is numeric or not , valid date or not etc.
 

3) Finally, Always use mysql_real_escape_string() function before 
sending the variable to the SQL query, it ad. For example

note you must be connected to the database for using this function
 
Code:
$username=mysql_real_escape_string($_POST['username']);
$password=mysql_real_escape_string($_POST['password']);

if a intruder inject ‘ OR 1 in the user name and password field then the value of the $username and $password will become \’ OR 1 which is not going to harm us anymore.



this might also help some one

.htaccess

Code:
# Block out any script trying to set a mosConfig value through the URL

RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]

# Block out any script trying to base64_encode crap to send via URL

RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]

# Block out any script that includes a 

0 comments:

Post a Comment