Communiquez avec les autres et partagez vos connaissances professionnelles

Inscrivez-vous ou connectez-vous pour rejoindre votre communauté professionnelle.

Suivre

How do you deal with SQL injection ?

user-image
Question ajoutée par Afsheen Atif
Date de publication: 2014/06/28
Utilisateur supprimé
par Utilisateur supprimé

In short, ALWAYS sanitize your input! DO NOT trust user input, ever, so don't ever use it directly inside your queries.

Ravindra Warnasooriya
par Ravindra Warnasooriya , Software Project Manager , DataCore Lanka (Pvt) Ltd

We can Use   mysql_real_escape_string() Function if we are code peo php   else we can Use PHP Framework for the persistence Tasks

Ex: codeigniter - PHP  , Hibernate - JAVA

Harran Ali
par Harran Ali , Creator , GoCondor (Golang open source project)

sanitize your input and use the new php class  mysqli with prepared statments

Muktar SayedSaleh
par Muktar SayedSaleh , Software Engineering Manager , AIRASIA

simply, in general you have to validate your variables which comes from user input.in SQL SERVER using of stored procedures will make it very hard to inject any malicious SQL command in your original query.

Muddasar Khan
par Muddasar Khan , Project Manager , Rising Web

Visit this link and you will get answer in details.. it is very simple example. If you need more then i can spend time for you to give to the point info about SQL injection and remedy.

Amir Khan
par Amir Khan , LAMP/PHP Web Programmer , GTA Web Developers

Simply use a framework, that will take care of it.

Or look for how to use PHP sprintf function for SQL injection similar to C printf

 

Imran Shafique
par Imran Shafique , Senior Application Developer , Bayan Credit Bureau

Use SQl parameters in your quries.

for e.g  SQL="SELECT * FROM SUPPLIER WHERE SUPPLIER_ID=@SUPPLIER_ID "

 

Utilisateur supprimé
par Utilisateur supprimé

some things you should consider when you POST/GET

- htmlentities($_POST["name"])/htmlentities($_GET["search"])

- PHP Data Objects (PDO) provide methods for prepared statements and working with objects that will make you far more productive!

Umer Sulman
par Umer Sulman , Senior Software Engineer , Spark Digitus Bahrain

First of all give developers more time, don't give them short deadlines. When you give them some extra time, then they can use a lot of solutions :)

Avni Ademi
par Avni Ademi , Data Document Coordinator/ SQL Developer , FLUOR

Depends on the platform you are using, but there are many ways to prevent SQL injection. 

First things first, -Set up user groups and assign appropriate Access levels

(if applicable, domain users accounts)

-Use Stored procedures to read and write information in the tables . 

(In MS Server, you can keep your tables read only to all user. however, when you write or update you can use Stored procedures). 

-Validate your fields, make sure unnecessary characters (;, - semicolon, minus sign) are automatically taken away or notify the user to have them removed from the control in the front end. 

 

-Make sure you have a history table for every table you have input and output, and use triggers to write history. 

 

In case you need any clarification on any of the above topics,  I would be very happy to explain them to you in depth, just send me an email. 

Regards

Avni

 

 

Muhammad Majid Saleem
par Muhammad Majid Saleem , Senior PHP Developer / Project Manager , SwaamTech

I agree with @Ahmed and @Ravindra.

FYI: SQL injections are by defualt disable in PHP version >5 but even then we shoould take care of it.

More Questions Like This