SQL injection, insertion

SQL injection, insertion

SQL injection is an attack where malicious code is passed to an SQL Server for execution. The attack can result in unauthorized access to confidential data, or destruction of critical data.

Before you try to read the methods below, realize that this should only be a concern for PHP developers and the like. If you are using a database driven program (e.g. WordPress, Joomla, OSCommerce), then all you need to do is upgrade your programs to the latest version available.

Methods to prevent SQL injection

Escaping

One way to prevent injections is to escape dangerous characters (i.e. backslash, apostrophe and semicolon). In PHP, it is typical to escape the input using the function mysql_real_escape_string before sending the SQL query. Example:

$Uname = mysql_real_escape_string($Uname);
$Pword = mysql_real_escape_string($Pword);
$query = "SELECT * FROM Users where UserName='$Uname' and Password='$Pword'";
mysql_query($query);

Parameterized statements

A parameterized query uses placeholders for the input, and the parameter values are supplied at execution time.

$params = array($Uname, $Pword);
$sql = 'INSERT INTO Users (UserName, Password) VALUES (?, ?)';
$query = sqlsrv_query($connection, $sql, $params);

Advanced: In PHP version 5 and above, there are multiple choices for using parameterized statements; the PDO database layer is one of them. There are also vendor-specific methods; for example, MySQL 4.1 + used with the mysqli extension.

  • 21 Para pengguna merasa ini berguna
Apakah jawaban ini membantu?

Artikel Terkait

limit inode 100.000

inode merupaka struktur data yang digunakan untuk menyimpan informasi tentang sebuah file di...

Penggunaan resource CPU

SHARED SERVERS HostMop memperbolehkan maximum 25% untuk penggunakan CPU. Anda dapat melewati...

Bagaimana cara pembuatan password yang kuat?

Pembuatan Password Sangatlah penting untuk membuat password yang mudah diingat, tetapi susah...

Bagaimana saya mencegah hacking?

Hal yang terpenting adalah menyimpan password Anda secara rahasia. Jika Anda memberikan...

How to handle the Google Attack Page

When you see the dreaded Google attack site warning, you should immediately email...