You all know about SQL Injection. To avoid this issue in PHP/MySQL. Just use mysql_real_escape_string()
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
Also apart from this Data Validation from Text Boxes is very important. It's a good habit to Trim blank spaces around word, sentences or even characters and if it's a Numeric field, you must ensure only Numbers & Decimals are permitted.
You can use ereg_replace () function in PHP to retain the range of Characters/Numbers/Special Characters and replace the rest with Blank.
For e.g. I would like to only allow capital A-Z, smal a-z, and Numeric numbers 0-9 and also allow space, so I would use the following:
ereg_replace ("[^a-zA-Z0-9 ]","", $val); //where $val contains the value.
Now with the increased web attacks on websites, most of them is due to SQL Injection, and Spamming of Web Forms.
The Spamming of Forms is a major concern, and thanks to Captcha & other random techniques so that Automatic Form Submission does not take place once this are in place.
In the end, I recommend that good sites stand by good security of the site and it makes your visitor to the site secured as well.
If you have any comments, do let me know and share your insight with me.
These days a lot of websites are being hacked or they are being targeted for abuse. There has been a high increase in script induction in the website.
A novice website user has no idea, what they are facing and how their websites are being compromised.
It is a common sight these days that I get calls from people to remove viruses from their websites. Now it's just not computer viruses that are harassing users, but website borne virus are really a pain for web developers.