Member Avatar for ultras1

Hi, I'm making litle CMS with PHP+Mysql. Can you tellme measures for prevention for SQL Injections ?

  • 5 Contributors
  • 6 Replies
  • 164 Views
  • 4 Days Discussion Span
  • Latest Post Latest Post by koldex

Recommended Answers

All 6 Replies

Member Avatar for smartness

--> mysql_real_escape_string

--> Use htmlentities() for user submitted data!

when you get the id from the url:
$id = $_GET["id"];
use this:
$id = (int)$_GET["id"];

this is only when the ID is a integer!

I would suggest using a php mysql class!

Edited by smartness because: n/a
Member Avatar for kylegetson

using php base64_encode and php base64_decode can help as well.

never run a query on data you unsure about.

also, its a good idea to restrict the permissions of the mysql user your scripts are using, so in case someone does get in, they can't create, alter or drop tables. require an additional login before allowing those type of queries.

backup early. backup often.

commented: Great suggestions +3
Member Avatar for ultras1

when you get the id from the url:
$id = $_GET["id"];
use this:
$id = (int)$_GET["id"];

this is only when the ID is a integer!

Interesting

using php base64_encode and php base64_decode can help as well.

I had never known about that, it looks interesting. For example if I have "index.php?id=33&page=1" . What to encode? I guess "id=33&page=1" ?

Member Avatar for kylegetson

When creating links use:

$id=33;
$page=1;
$link = "index.php?id=".base64_encode($id)."&page=".base64_encode($page);

Then when getting those variables:

$id = base64_decode($_GET['id']);
$page = base64_decode($_GET['page']);

hope that helps.

Member Avatar for mwasif

There is a simple rule, always treat user input an evil :)

Member Avatar for koldex

Good

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.