You all know about SQL Injection. To avoid this issue in PHP/MySQL. Just use mysql_real_escape_string()
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: x00, n, r, , ', " and x1a.
This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
Also apart from this Data Validation from Text Boxes is very important. It's a good habit to Trim blank spaces around word, sentences or even characters and if it's a Numeric field, you must ensure only Numbers & Decimals are permitted.
You can use ereg_replace () function in PHP to retain the range of Characters/Numbers/Special Characters and replace the rest with Blank.
For e.g. I would like to only allow capital A-Z, smal a-z, and Numeric numbers 0-9 and also allow space, so I would use the following:
ereg_replace ("[^a-zA-Z0-9 ]","", $val); //where $val contains the value.
Now with the increased web attacks on websites, most of them is due to SQL Injection, and Spamming of Web Forms.
The Spamming of Forms is a major concern, and thanks to Captcha & other random techniques so that Automatic Form Submission does not take place once this are in place.
In the end, I recommend that good sites stand by good security of the site and it makes your visitor to the site secured as well.
If you have any comments, do let me know and share your insight with me.
4 thoughts on “SQL Injection & Prevention PHP/MySQL”
Thank u so much for ur valuable info. BTW does this work if we are passing arabic data?
yes it does work for Arabic but the function ereg_replace() might not work, you would require special tweaking
thanks for the info. 🙂
The following link has an excellent explanation of how to enable Arabic, Urdu and other foreign language support in PHP/MySQL.