How to Prevent an SQL Injection From a Website
SQL injection is a type of hack that leaves your domain vulnerable to data theft. In some instances, the hacker is able to gain access to the server file system or take control of the database server. You must use the PHP "mysql_escape_string" function on your Web page queries to protect against SQL injection. You apply the function to each query string variable, which converts single quote characters used to apply the SQL injection hack to double quotes.
Other People Are Reading
Instructions
-
-
1
Right-click the PHP file that queries your database server and click "Open With." Click your PHP editor in the list of programs. Most websites have more than one PHP file that queries a server, so you must perform the code changes with each PHP file.
-
2
Locate the query string variable that sets up the SQL query. For instance, the following query string variable retrieves a list of orders for a customer:
$query = "select name, ordernumber from orders where customerid = " . customerid
-
-
3
Apply the "mysql_escape_string" function to the query string variable. Place the following code directly after the query string definition:
$query = mysql_escape_string($query);
The code above escapes any SQL injection attempts, so when the query is sent to the server, the hacker is unable to run unauthorized code.
-
1
