Free Articles at Neutron Marketing Article Publishing and Distribution » Internet-and-businesses-online » Security » SQL Injection Prevention Guidelines For Developers
Previous Article - Ten Indicators that it is Time to Move to a Dedicated Server
Next Article - Points In PHP And SQL Security Topics Explained

View PDF | Print View | Html Version
by: ChrisChanning
Total views: 2
Word Count: 446

SQL injection is becoming a problem for web developers- especially those new to the field who aren't up to speed on how insecure PHP can really be. But as the experts like to say, PHP isn't the problem- it's the knowledge of the programmer that counts when it comes to preventing SQL injection attacks.

An SQL injection attack is, simply put, a vulnerability in the SQL query that programmers unwittingly leave wide open. When a web developer calls an SQL query, he or she will commonly forget to escape quotes that the user might input. Users might input text such as "MyVariable' OR 1=1--" ; this line will actually give the malicious user to your database!

PHP developers have used the magic quotes function to help safeguard against SQL injections. Magic quotes are no longer in use, however, since they were more of a hassle than anything. It is recommended that if a developer has used magic quotes, he or she should remove them since they are no longer supported as of PHP 6. Thus, we need to look elsewhere for a security solution.

The common way to protect against an SQL injection attack is to simply use the mysql_real_escape_string() function that PHP has support for. When passing POST values through this function, the result becomes an escaped string that can't be used to manipulate an SQL query- perfect for our situation.

Another good way to prevent SQL injections is to simply restrict authority in SQL users where possible. For instance: it would be a good idea to create individual users that do specific things: such as create a table or update rows in the said table. This can help make the task of ruining one's hard work much harder for malicious web users, although it's a lot more work for webmasters (Although well worth it).

It should be noted that programs and web applications that stop SQL injections should not be obtained- since they commonly cost quite a bit of money. As long as webmasters take precautions with what they create, there should be no reason to spend hundreds of dollars on software that only makes use of escape characters and formatting data correctly. This type of application is created to con webmasters into buying something they don't need- so dont fall victim to them!

Closing Comments

Security is a big topic among webmasters, who make no money and achieve no fame by getting attacked via an SQL injection. To keep profits running high, it is recommended that webmasters make use of the tips previously mentioned. It's also good to brush up on more PHP security tips, as well as make use of SQL injection scanners that are available over the Internet.

About the Author

Learn more on SQL Injection URL and SQL Injection Tutorial.

---

Rating: Not yet rated

--Choose-- 0 1 2 3 4 5

No comments posted.

Add Comment

Enter the code shown