Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Possible Duplicate:
Best way to prevent SQL injection in PHP?
I am building my first online shop and i’m writing the PHP code myself and using a MySQL database. I have been advised that its really important to have data validation on inputs so that my database cannot be compromised. Can someone tell me what validation to include or maybe a trusted tutorial that is recommended.
Thanks in advance
Search this site for “Sql Injection”. A common source of sql injection attacks is user-input which is not validated and is then trustingly concatenated before being sent to the database.
For example, if your statement is this:
(where ‘some variable’ is user input just passed on to the SQL)
then the user can input
'xxx''; delete from mytable; --'and what the database gets is:
causing havoc.
So the key issue here is: don’t pass unvalidated, concatenated text to your database for it to execute.
You can achieve this in several ways:
everthing)
parameters
of tea)
I’d go for parameterized SQL as the database driver will take care of binding everything the user inputs as a single value, whilst at the same time keeping your business logic out of the database.