You all know about SQL Injection. To avoid this issue in PHP/MySQL. Just use mysql_real_escape_string()
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
Also apart from this Data Validation from Text Boxes is very important. It's a good habit to Trim blank spaces around word, sentences or even characters and if it's a Numeric field, you must ensure only Numbers & Decimals are permitted.
You can use ereg_replace () function in PHP to retain the range of Characters/Numbers/Special Characters and replace the rest with Blank.
For e.g. I would like to only allow capital A-Z, smal a-z, and Numeric numbers 0-9 and also allow space, so I would use the following:
ereg_replace ("[^a-zA-Z0-9 ]","", $val); //where $val contains the value.
Now with the increased web attacks on websites, most of them is due to SQL Injection, and Spamming of Web Forms.
The Spamming of Forms is a major concern, and thanks to Captcha & other random techniques so that Automatic Form Submission does not take place once this are in place.
In the end, I recommend that good sites stand by good security of the site and it makes your visitor to the site secured as well.
If you have any comments, do let me know and share your insight with me.
Olay eyes of Arabia website developed by me has been launched
Galaxy Icecream is a Flash / PHP microsite. Main functionality of this site is to gain the maximum points by registering, revealing 4 secrets every day and friends who join on your recommendation via Tell a friend. During registration process we have ensured to avoid spamming via MD5 encryption, so us to ensure that users get genuine points. The back end module supports the admin to generate various reports and export to excel.
Go on visit: www.galaxy-icecream.com
Do comment, how did you like it?