Thursday, July 2, 2009

how to battle SQL INJECTORS?

you can easily defeat anyone who is trying to SQL INJECT your website via, a simple input validator of PHP to MySql extensions. it is called the mysql_real_escape_string() function... it is a function design to made any perpetrator suffer with his doing.

for example you are making a website of a blog. and you tend to select or view the contents in the database, you tend to select right? but instead someone SQL inject your site. and it listed all your user's account information. its a faulty system.

but you can use the mysql_real_escape_string(); to avoid sql injections.

example.
this is a faulty query.
$query = mysql_query("Select * from student_tb where id='$_POST['id']' and password='$_POST['pw']'");

to solve this. use this
  • $id = mysql_real_escape_string($_POST['id']);
  • $pw = mysql_real_escape_string($_POST['pw']);
then query.

$query = mysql_query("Select * from student_tb where id='$id' and password='$pw'");
PROBLEM SOLVED!
Posted by honey at 9:26 PM
Labels:

3 comments:

Subscribe to: Post Comments (Atom)