In my php code i can get data with php $_GET method. Here is code look like this..
<?php
<a href='userprofile.php?uname=$uname'>$uname</a>
?>
If i click the the link it’s show user profile page and so that userprofile.php page’s url look like this.
http://localhost/evantechbd1/userprofile.php?uname=shibbir
My question is how do i prevent this url from sql injection or any other attack.
If I write:
http://.......uname=shibbir'OR'='-1-'
then it’s show:
SHIBBIR%27OR%27%3D%27-1-%27'S PROFILE.
BUT I want whatever text is provided to that link it’s must be show only valid username profile page.
Any idea.
You can’t prevent someone from ATTEMPTING the attack, you can only prevent the attack from succeeding. However, what that prevention actually IS depends entirely on what you’re going to use the database. There is no ‘magic bullet’ function that will make every bit of data safe in every case, as many ‘sanitization’ functions destroy data that is necessary in other usage cases.
e.g. there is no point in doing an SQL injection attack prevention with (say)
mysql_real_escape_string()if the bad data is never going to be used in an SQL query. Doinghtmlspecialchars()when the string is not going to be used in HTML context is similarly useless.