ociugi Posted November 2, 2007 Share Posted November 2, 2007 i am aware of sql injection but I'm lock of knowledge on how to prevent this by increasing the security of the php code. i don't know where and when exactly to use the regular expression, trim, strpos, strsub, urlencode, urldecode functions, etc. because i am a beginner programmer. do i need to use the stripslashes to all input? For example i have a login form with user id and password, i want to know what and how to filter the input before i insert or select into sql? and for the registration form input filtering, is it the same as the login form filtering? please explain to me on how to prevent the sql injection. thank you in advance. Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted November 2, 2007 Share Posted November 2, 2007 The most important function when it comes to sql injections is mysql_real_escape_string() http://www.php.net/mysql_real_escape_string You need to use that function on ALL variables you are using in any query. Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted November 2, 2007 Share Posted November 2, 2007 Here are some good articles on it you can read up on to understand more http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php http://www.netlobo.com/preventing_mysql_injection.html http://www.securiteam.com/securityreviews/5DP0N1P76E.html Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted November 2, 2007 Share Posted November 2, 2007 You can also read the articles at PHP Security Consortium Ken Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.