Bayt.com

Start networking and exchanging professional insights

Register now or log in to join your professional community.

Follow

How do you deal with SQL injection ?

MySQL Databases PHP Database Design
user-image
Question added by Afsheen Atif
Date Posted: 2014/06/28
Upvote (4) Views (33) Followers (17) Answers (11) Report Question
Write an Answer
Register now or log in to answer.
Deleted user
by Deleted user

In short, ALWAYS sanitize your input! DO NOT trust user input, ever, so don't ever use it directly inside your queries.

Ravindra Warnasooriya
by Ravindra Warnasooriya , Software Project Manager , DataCore Lanka (Pvt) Ltd

We can Use   mysql_real_escape_string() Function if we are code peo php   else we can Use PHP Framework for the persistence Tasks

Ex: codeigniter - PHP  , Hibernate - JAVA

Harran Ali
by Harran Ali , Creator , GoCondor (Golang open source project)

sanitize your input and use the new php class  mysqli with prepared statments

Muktar SayedSaleh
by Muktar SayedSaleh , Software Engineering Manager , AIRASIA

simply, in general you have to validate your variables which comes from user input.in SQL SERVER using of stored procedures will make it very hard to inject any malicious SQL command in your original query.

Muddasar Khan
by Muddasar Khan , Project Manager , Rising Web

Visit this link and you will get answer in details.. it is very simple example. If you need more then i can spend time for you to give to the point info about SQL injection and remedy.

Amir Khan
by Amir Khan , LAMP/PHP Web Programmer , GTA Web Developers

Simply use a framework, that will take care of it.

Or look for how to use PHP sprintf function for SQL injection similar to C printf

 

Imran Shafique
by Imran Shafique , Senior Application Developer , Bayan Credit Bureau

Use SQl parameters in your quries.

for e.g  SQL="SELECT * FROM SUPPLIER WHERE SUPPLIER_ID=@SUPPLIER_ID "

 

Deleted user
by Deleted user

some things you should consider when you POST/GET

- htmlentities($_POST["name"])/htmlentities($_GET["search"])

- PHP Data Objects (PDO) provide methods for prepared statements and working with objects that will make you far more productive!

Umer Sulman
by Umer Sulman , Senior Software Engineer , Spark Digitus Bahrain

First of all give developers more time, don't give them short deadlines. When you give them some extra time, then they can use a lot of solutions :)

Avni Ademi
by Avni Ademi , Data Document Coordinator/ SQL Developer , FLUOR

Depends on the platform you are using, but there are many ways to prevent SQL injection. 

First things first, -Set up user groups and assign appropriate Access levels

(if applicable, domain users accounts)

-Use Stored procedures to read and write information in the tables . 

(In MS Server, you can keep your tables read only to all user. however, when you write or update you can use Stored procedures). 

-Validate your fields, make sure unnecessary characters (;, - semicolon, minus sign) are automatically taken away or notify the user to have them removed from the control in the front end. 

 

-Make sure you have a history table for every table you have input and output, and use triggers to write history. 

 

In case you need any clarification on any of the above topics,  I would be very happy to explain them to you in depth, just send me an email. 

Regards

Avni

 

 

Muhammad Majid Saleem
by Muhammad Majid Saleem , Senior PHP Developer / Project Manager , SwaamTech

I agree with @Ahmed and @Ravindra.

FYI: SQL injections are by defualt disable in PHP version >5 but even then we shoould take care of it.

Write Your Answer
More Questions Like This