0

Hi, I'm making litle CMS with PHP+Mysql. Can you tellme measures for prevention for SQL Injections ?

5
Contributors
6
Replies
7
Views
8 Years
Discussion Span
Last Post by koldex
0

--> mysql_real_escape_string

--> Use htmlentities() for user submitted data!

when you get the id from the url:
$id = $_GET["id"];
use this:
$id = (int)$_GET["id"];

this is only when the ID is a integer!

I would suggest using a php mysql class!

Edited by smartness: n/a

1

using php base64_encode and php base64_decode can help as well.

never run a query on data you unsure about.

also, its a good idea to restrict the permissions of the mysql user your scripts are using, so in case someone does get in, they can't create, alter or drop tables. require an additional login before allowing those type of queries.

backup early. backup often.

Votes + Comments
Great suggestions
0

when you get the id from the url:
$id = $_GET["id"];
use this:
$id = (int)$_GET["id"];

this is only when the ID is a integer!

Interesting

using php base64_encode and php base64_decode can help as well.

I had never known about that, it looks interesting. For example if I have "index.php?id=33&page=1" . What to encode? I guess "id=33&page=1" ?

0

When creating links use:

$id=33;
$page=1;
$link = "index.php?id=".base64_encode($id)."&page=".base64_encode($page);

Then when getting those variables:

$id = base64_decode($_GET['id']);
$page = base64_decode($_GET['page']);

hope that helps.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.