• entries RSS
• comments RSS





• Arts And Entertainment
• Business
• Communications
• Computers
• Disease And Illness
• Fashion
• Finance
• Food And Beverage
• General
• Health And Fitness
• Home And Family
• Internet Business
• Politics
• Product Reviews
• Recreation And Sports
• Reference And Education
• Self Improvement
• Society
• Technology
• Travel And Leisure
• Vehicles
• Writing And Speaking

PHP Tutorial On MySQL Injection Written on July 31, 2008, by Internet Garner.

One of the biggest flaws in the PHP language is the fact that it allows for web developers to make very big mistakes in regards to security. One example of this is through SQL injections- an exploit that malicious users take advantage of when web developers don’t accurately safeguard their application.

SQL injections are defined by the vulnerability in the SQL query that PHP developers make use of. When the developer in question puts forth an SQL query, he or she needs to make an effort to validate any input that could come from any web form or entry field. A simple input statement such as “a’ OR ‘a’='a’” could compromise the security of one’s database with ease.

PHP developers have used the magic quotes function to help safeguard against SQL injections. Magic quotes are no longer in use, however, since they were more of a hassle than anything. It is recommended that if a developer has used magic quotes, he or she should remove them since they are no longer supported as of PHP 6. Thus, we need to look elsewhere for a security solution.

Using the “mysql_real_escape_string()” function will enable web developers to escape quotes properly. And unlike magic quotes, this function will only escape quotes that we need. Keep in mind that when using this function, it may be necessary to use the “striplslashes()” function to counteract the slashes that are being outputted as a result.

Oddly enough, we can create a greater sense of security through creating more user accounts via our SQL program. We can assign different types of access to different users, which would make it quite hard for attackers to get full access to our database should they find a hole somewhere. Having a user for creating, deleting, and inserting data is a good idea to help split up responsibility.

It should be noted that programs and web applications that stop SQL injections should not be obtained- since they commonly cost quite a bit of money. As long as webmasters take precautions with what they create, there should be no reason to spend hundreds of dollars on software that only makes use of escape characters and formatting data correctly. This type of application is created to con webmasters into buying something they don’t need- so dont fall victim to them!

Closing Comments

Security is a big topic among webmasters, who make no money and achieve no fame by getting attacked via an SQL injection. To keep profits running high, it is recommended that webmasters make use of the tips previously mentioned. It’s also good to brush up on more PHP security tips, as well as make use of SQL injection scanners that are available over the Internet.

Learn more about Defend SQL Injection and Defend SQL Injection.

© Copyright Internet Garner News Release Service - Supply Chain Management - Yahoo - Google