Wednesday, August 31, 2016

Prevent SQL Injection in PHP

Good quick read on preventing SQL injection by Kamran Mohsin

1-Input Validation
  e.g. convert integers to integers before using so no nasty sql code can be added.
   $id = intval($_GET['id']);


2-Prepared Statements
  e.g. a better way , it separates sql logic from the data
  $stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
  $stmt->bindParam(':name', $name);
  $stmt->bindParam(':value', $value);


3-Least Privileges
e.g. even if your developer screwed up, limit what the bad guy can do. if the website only reads certain tables, only give it read access to those tables.


More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment