1-Input Validation
e.g. convert integers to integers before using so no nasty sql code can be added.
$id = intval($_GET['id']);
2-Prepared Statements
e.g. a better way , it separates sql logic from the data
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
3-Least Privileges
e.g. even if your developer screwed up, limit what the bad guy can do. if the website only reads certain tables, only give it read access to those tables.
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- DOM XSS 101 Walk-Through
- An Invoice email and a Hot mess of Java
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment