أنشئ حسابًا أو سجّل الدخول للانضمام إلى مجتمعك المهني.
In short, ALWAYS sanitize your input! DO NOT trust user input, ever, so don't ever use it directly inside your queries.
We can Use mysql_real_escape_string() Function if we are code peo php else we can Use PHP Framework for the persistence Tasks
Ex: codeigniter - PHP , Hibernate - JAVA
sanitize your input and use the new php class mysqli with prepared statments
simply, in general you have to validate your variables which comes from user input.in SQL SERVER using of stored procedures will make it very hard to inject any malicious SQL command in your original query.
Visit this link and you will get answer in details.. it is very simple example. If you need more then i can spend time for you to give to the point info about SQL injection and remedy.
Simply use a framework, that will take care of it.
Or look for how to use PHP sprintf function for SQL injection similar to C printf
Use SQl parameters in your quries.
for e.g SQL="SELECT * FROM SUPPLIER WHERE SUPPLIER_ID=@SUPPLIER_ID "
some things you should consider when you POST/GET
- htmlentities($_POST["name"])/htmlentities($_GET["search"])
- PHP Data Objects (PDO) provide methods for prepared statements and working with objects that will make you far more productive!
Depends on the platform you are using, but there are many ways to prevent SQL injection.
First things first, -Set up user groups and assign appropriate Access levels
(if applicable, domain users accounts)
-Use Stored procedures to read and write information in the tables .
(In MS Server, you can keep your tables read only to all user. however, when you write or update you can use Stored procedures).
-Validate your fields, make sure unnecessary characters (;, - semicolon, minus sign) are automatically taken away or notify the user to have them removed from the control in the front end.
-Make sure you have a history table for every table you have input and output, and use triggers to write history.
In case you need any clarification on any of the above topics, I would be very happy to explain them to you in depth, just send me an email.
Regards
Avni
I agree with @Ahmed and @Ravindra.
FYI: SQL injections are by defualt disable in PHP version >5 but even then we shoould take care of it.