ابدأ بالتواصل مع الأشخاص وتبادل معارفك المهنية

أنشئ حسابًا أو سجّل الدخول للانضمام إلى مجتمعك المهني.

متابعة

How to prevent SQL injection in PHP?

user-image
تم إضافة السؤال من قبل Muhammad Usman Usman , Software Enginner , Five Rivers Technologies
تاريخ النشر: 2013/07/10
Ahsan Aslam
من قبل Ahsan Aslam , Software Engineer , FiverRivers Technologies (pvt) Ltd

use a php function name 'mysql_real_escape_string()' but this function will be deprecated in5.5.0 version of php.
but you can use MySQLi or PDO_MySQL for prevent the sql injection in php.

Mohammad Shalabi
من قبل Mohammad Shalabi , Solution Architect, Android, and IOS Architect , ALM New Way

Use parameterized queries

مستخدم محذوف‎
من قبل مستخدم محذوف‎

If you maintaining a server, I would suggest you can hardened your PHP by using suhosin extensions in the project.
By default, FreeBSD is using this technology in PHP.
You can find the information on www.hardened-php.net I hope this help you

Oliver Russell
من قبل Oliver Russell

There are basically two main methods to prevent sql injection attacks. 

 

Make a function like this

 

<?php

function BlockSQLInjection($str)

{

return str_replace(array(“‘”,”””,”‘”,'”‘),array(“‘”,”&quot;”‘”,”&quot;”,$str));

}

?>

str_replace() function will replace all characters in the string

Another method is to use prepared statement to execute sql queries.

You can also prevent php sql injection attacks by removing unused stored procedures.

Zeeshan Mohammad
من قبل Zeeshan Mohammad , Software Engineer in Research , Center for Collective Intelligence - Massachusetts Institute of Technology

You can use prepared statements.
These are sql statements that are parsed by the database server separate from the parameters so if one sends in some injected parameter value, then its effect is handled during parsing.

islam khalil
من قبل islam khalil , Technical Manager , iCloudit

MYSQLi : Use mysql_real_escape_string($unsafe_variable); PDO :Use prepared statements and parameterized queries

Wali Farooqui
من قبل Wali Farooqui , Student , Indian Institute of Information Technology and Management, Gwalior

using PDO $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name'); $stmt->execute(array(':name' => $name)); foreach ($stmt as $row) { // do something with $row }

المزيد من الأسئلة المماثلة