ابدأ بالتواصل مع الأشخاص وتبادل معارفك المهنية

أنشئ حسابًا أو سجّل الدخول للانضمام إلى مجتمعك المهني.

متابعة

How do you deal with SQL injection ?

user-image
تم إضافة السؤال من قبل Afsheen Atif
تاريخ النشر: 2014/06/28
مستخدم محذوف‎
من قبل مستخدم محذوف‎

In short, ALWAYS sanitize your input! DO NOT trust user input, ever, so don't ever use it directly inside your queries.

Ravindra Warnasooriya
من قبل Ravindra Warnasooriya , Software Project Manager , DataCore Lanka (Pvt) Ltd

We can Use   mysql_real_escape_string() Function if we are code peo php   else we can Use PHP Framework for the persistence Tasks

Ex: codeigniter - PHP  , Hibernate - JAVA

Harran Ali
من قبل Harran Ali , Creator , GoCondor (Golang open source project)

sanitize your input and use the new php class  mysqli with prepared statments

Muktar SayedSaleh
من قبل Muktar SayedSaleh , Software Engineering Manager , AIRASIA

simply, in general you have to validate your variables which comes from user input.in SQL SERVER using of stored procedures will make it very hard to inject any malicious SQL command in your original query.

Muddasar Khan
من قبل Muddasar Khan , Project Manager , Rising Web

Visit this link and you will get answer in details.. it is very simple example. If you need more then i can spend time for you to give to the point info about SQL injection and remedy.

Amir Khan
من قبل Amir Khan , LAMP/PHP Web Programmer , GTA Web Developers

Simply use a framework, that will take care of it.

Or look for how to use PHP sprintf function for SQL injection similar to C printf

 

Imran Shafique
من قبل Imran Shafique , Senior Application Developer , Bayan Credit Bureau

Use SQl parameters in your quries.

for e.g  SQL="SELECT * FROM SUPPLIER WHERE SUPPLIER_ID=@SUPPLIER_ID "

 

مستخدم محذوف‎
من قبل مستخدم محذوف‎

some things you should consider when you POST/GET

- htmlentities($_POST["name"])/htmlentities($_GET["search"])

- PHP Data Objects (PDO) provide methods for prepared statements and working with objects that will make you far more productive!

Umer Sulman
من قبل Umer Sulman , Senior Software Engineer , Spark Digitus Bahrain

First of all give developers more time, don't give them short deadlines. When you give them some extra time, then they can use a lot of solutions :)

Avni Ademi
من قبل Avni Ademi , Data Document Coordinator/ SQL Developer , FLUOR

Depends on the platform you are using, but there are many ways to prevent SQL injection. 

First things first, -Set up user groups and assign appropriate Access levels

(if applicable, domain users accounts)

-Use Stored procedures to read and write information in the tables . 

(In MS Server, you can keep your tables read only to all user. however, when you write or update you can use Stored procedures). 

-Validate your fields, make sure unnecessary characters (;, - semicolon, minus sign) are automatically taken away or notify the user to have them removed from the control in the front end. 

 

-Make sure you have a history table for every table you have input and output, and use triggers to write history. 

 

In case you need any clarification on any of the above topics,  I would be very happy to explain them to you in depth, just send me an email. 

Regards

Avni

 

 

Muhammad Majid Saleem
من قبل Muhammad Majid Saleem , Senior PHP Developer / Project Manager , SwaamTech

I agree with @Ahmed and @Ravindra.

FYI: SQL injections are by defualt disable in PHP version >5 but even then we shoould take care of it.

المزيد من الأسئلة المماثلة