Skip to main content

Secure your web page against SQL injection

There is a number of things you can do… I will show you a few here…
Alternative one
Lets say this is your code:
Code
<?php
$result = mysql_query(‘SELECT text FROM pages WHERE id=’ . $_GET['id']);
echo($result);
?>
This means that you are selecting the page content which is ‘text’ from ‘pages’ in the SQL database, and you are sorting out the right page content with $_GET['id'] and $_GET['id'] is the thing in the url… Example;
Code
http://google.com/index.php?id=123
This code is easily injectable… But if you do this:
Code
<?php
$result = mysql_query(‘SELECT text FROM pages WHERE id=’ . mysql_real_escape_string($_GET['id']));
echo($result);
?>
You are 100% secure
Alternative two
This one is not as good as the first one… But still works
Again we say this is your php code:
Code
<?php
$result = mysql_query(‘SELECT text FROM pages WHERE id=’ . $_GET['id']);
echo($result);
?>
Again this is very simple to inject… But if you check $_GET['id'] for “illegal” characters! Like this:
Code
<?php
$pos = strrpos(strtolower($_GET['id']), “union”);
if ($pos === false){}else
{
die;
}
$pos = strrpos(strtolower($_GET['id']), “select”);
if ($pos === false){}else
{
die;
}
$pos = strrpos(strtolower($_GET['id']), “information_”);
if ($pos === false){}else
{
die;
}
$result = mysql_query(‘SELECT text FROM pages WHERE id=’ . $_GET['id']);
echo($result);
?>
Labels:

Comments

Post a Comment

Popular posts from this blog

How to find who is invisible or blocked you on Google Gtalk

So guys are you ready to know that which of your friend has blocked you on google talk. Whenever you noticed a contact in your Gtalk/Google Talk has not been online for some time, have it ever crossed your mind you’ve been blocked? If you are curious in finding out who actually blocked you in Gtalk, here’s a workaround you can try. This following method we attempt to show make use of a chat client call Pidgin. STEPS TO FIND WHO IS INVISIBLE OR BLOCKED YOU ON GOOGLE CHAT: 1. Download, Install Pidgin Click here to download Pidgin chat client. If you already have Pidgin installed, you may skip this step. 2. Configure Pidgin for GtalkYou’ll probably start with the below screen. Click the Add button. "Accounts -> Manage Account" will also bring you to the same screen. Let’s add Gtalk to Pidgin. Configure Pidgin Welcome Screen Clicking Add will allow you to add new Gtalk account. The following two screenshots show what you need to fill up for Basic and Advance tab, pay...
Post a Comment
Read more

Portable World Cup Cricket 20-20

Portable World Cup Cricket 20-20 [maroon[Portable World Cup Cricket 20-20 v1.0English | Extract to Play | 57 MBWorld Cup Cricket 20-20 is a fabulous 3D cricket game for the PC. Players can choose from amongst their favorite teams, their favorite players, and most popular stadiums. The game offers several game modes - some standard and some new - combined with fabulous gameplay, outstanding graphics and full voice commentary. World Cup Cricket 20-20 strives to truly simulate the ultimate 20-20 cricketing experience! Players can partake in tournaments and watch as their team wins the ultimate trophy, increase team and player rankings, and build up their career innings! http://hotfile.com/dl/77645970/a f1f4aa/phar_masud_worl-cri-20-por.rar.ht ml OR http://www.fileserve.com/file/UABhxg d
Post a Comment
Read more

How to download Youtube videos

Here I'm going to tell you all how to download youtube videos without having youtube downloader in very easy way. Step 1 : Suppose this is ur youtube video link http://www.youtube.com/watch?v=ZtL4qfp6Ehk Step 2 : Now all you have to convert youtube into voobys Means http://www.voobys.com/watch?v=ZtL4qfp6Ehk Step 3 : Download the video
Post a Comment
Read more