CODEWITHSUNDEEP
phpsql-injectioncode-injection
Fero
Fero

Reputation: 13315

How to Prevent a site from SQL INJECTION

I am in idea to start a site from scratch using PHP & MYSQL using MVC Architecture. But according to client requirement the site must be prevent from SQL INJECTION and CODE INJECTION.

What are the necessary steps i need to do.

OR

Which is the best framework to start the site which prevents from SQL INJECTION and CODE INJECTION.

I didn't ask this to create a discussion with keeping in mind. I just want to know which one is better so that i can start with professionals guidance.

thanks i advance...

Upvotes: 2

Views: 516

Answers (8)

regilero
regilero

Reputation: 30496

After all the good tips given here on escaping your user data before putting it in database, you must as weel think at the second side of the problem.

Escape the ouptuts

That means every output of your application should be escaped based on the rule of this output format. For example, when you echo something for an HTML page you must escape it via htmlentites, so that any HTMl contined in your data will not be html in the output. And for a csv output you should escape quotes or commas, for JSON you should escape things as well, etc every output has his rules.

This thing is sometime used to store data which is potentially dangerous (js code, Html code) in the DB, by only preventing SQL injection before insertion. And then ensuring it is properly escaped before any output.

Another way of thinking is to prevent any js or HTML code before the database storage, but you should still escape the output (in case of).

Talking about frameworks you should get a look at Zend Framework on the Zend_Filter, Zend_Validate, and the escape functions on views.

Upvotes: 0

anon
anon

Reputation: 31

escape all input from $_GET[], $_POST[] etc with mysql_real_escape_string() right away.

Upvotes: 3

aiternal
aiternal

Reputation: 1100

These two functions will help you:

function escape($escape)
{
    $escape = mysql_real_escape_string($escape) ;
    return $escape ;
}

function _INPUT($name)
{
    if ($_SERVER['REQUEST_METHOD'] == 'GET') {
        return strip_tags($_GET[$name]);
        }
    if ($_SERVER['REQUEST_METHOD'] == 'POST') {
        return strip_tags($_POST[$name]);
        }
}

Send everything with escape() function to db and grab all forms with _INPUT(). You can use _INPUT function for every $_POST or $_GET except on boolean functions like empty($_POST['name']) or isset($_POST['name']) etc.

Upvotes: 3

Michael Borgwardt
Michael Borgwardt

Reputation: 346260

By far the most reliable way to prevent SQL injection is to use mysqli parameterized queries exclusively instead of building SQL statements manually.

It's much better than mysql_real_escape_string() because the risk of accidentally forgetting to use it is lower.

To prevent server-side code injection, don't ever under any circumstances use eval()

To prevent Javascript injection, treat all user-generated content with strip_tags() before displaying it or storing it in the DB.

Upvotes: 5

Liam
Liam

Reputation: 1768

The best way to do this is to use prepared statements, bar none. This will keep you from having to hand code and balance everything on your own. PHP's mysqli has this built into it and is a good first step into this world. Look at the PHP manual page on this.

Upvotes: 0

Bhanu Prakash Pandey
Bhanu Prakash Pandey

Reputation: 3775

use mysql_real_escape_string

Upvotes: 0

DreamWave
DreamWave

Reputation: 1940

You should look at this tutorial: http://www.learnphponline.com/security/sql-injection-prevention-mysql-php

Upvotes: 1

Marcelo Cantos
Marcelo Cantos

Reputation: 185852

Use mysql_real_escape_string when passing string parameters to build SQL statements. That includes an numeric, etc., parameters that you handle as strings.

Upvotes: 1

Related Questions