You all know about SQL Injection. To avoid this issue in PHP/MySQL. Just use mysql_real_escape_string()

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: x00, n, r, , ', " and x1a.

This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.

Also apart from this Data Validation from Text Boxes is very important. It's a good habit to Trim blank spaces around word, sentences or even characters and if it's a Numeric field, you must ensure only Numbers & Decimals are permitted. 

You can use ereg_replace () function in PHP to retain the range of Characters/Numbers/Special Characters and replace the rest with Blank.

For e.g. I would like to only allow capital A-Z, smal a-z, and Numeric numbers 0-9 and also allow space, so I would use the following:
ereg_replace ("[^a-zA-Z0-9 ]","", $val); //where $val contains the value.

Now with the increased web attacks on websites, most of them is due to SQL Injection, and Spamming of Web Forms.

The Spamming of Forms is a major concern, and thanks to Captcha & other random techniques so that Automatic Form Submission does not take place once this are in place.

In the end, I recommend that good sites stand by good security of the site and it makes your visitor to the site secured as well.

If you have any comments, do let me know and share your insight with me.


By yusuf

4 thoughts on “SQL Injection & Prevention PHP/MySQL”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.