How to secure your web page against SQL injection
Here is a number of things you can do... I will show you a few here...
Alternative one
Lets say thins is your code:
Code:
$result = mysql_query('SELECT text FROM pages WHERE id=' . $_GET['id']);
echo($result);
?>
This means that you are selecting the page content witch is 'text' from 'pages' in the SQL database, and you are sorting out the right page content with $_GET['id'] and $_GET['id'] is the thing in the url... Example; http://google.com/index.php?id=123
This code is easely injecteble... But if you do this:
Code:
$result = mysql_query('SELECT text FROM pages WHERE id=' . mysql_real_escape_string($_GET['id']));
echo($result);
?>
You are 100% secure
Alternative two
This one is not as good as the first one... But still works
Again we say this is your php code:
Code:
$result = mysql_query('SELECT text FROM pages WHERE id=' . $_GET['id']);
echo($result);
?>
Again this is verry simple to inject... But if you check $_GET['id'] for "iligal" characters! Like this:
Code:
$pos = strrpos(strtolower($_GET['id']), "union");
if ($pos === false){}else
{
die;
}
$pos = strrpos(strtolower($_GET['id']), "select");
if ($pos === false){}else
{
die;
}
$pos = strrpos(strtolower($_GET['id']), "information_");
if ($pos === false){}else
{
die;
}
$result = mysql_query('SELECT text FROM pages WHERE id=' . $_GET['id']);
echo($result);
?>
Subscribe to:
Post Comments (Atom)
Share your views...
0 Respones to "How to secure your web page against SQL injection"
Post a Comment