Register now or log in to join your professional community.
Use prepared statements and parameterized queries (PDO & Mysqli).
PDO : http://php.net/manual/en/book.pdo.php
MYsqli : http://php.net/manual/en/book.mysqli.php
You can see more informations about it here :
How to Prevent SQL Injection in PHP
in PDO and MySqli you can bind the parameters and then excute the query
another solution you can escape the parameters using "mysql_real_escape_string"
its all depends on what are you using to manipulate the sql statement
Stored Procedure
Better always use XSS Filtering
the best and the simple way is use sql procedures and try to implement strict coding. dont b a loose coder.
use mysql_escape_string function to avoid charectors for sql injection before the string with {} for example:"SELECT *FROM `tablename`WHERE fieldname = '{".mysql_escape_string($value)."}'"
Use Parameterized Query to prevent sql injection
Best way to prevent sql injection is looking for correct input. Use regular expressions and develop strategy for invalid input. Please remember pitfals. alternative representations. http://myhostname.com or http://194.71.105.29.
Biggest mistake:
.Not checking at all,
.Looking for incorrect input.
Beside The best things that all Other developrs mention, the best thing u can do to avoid SQL injection, is FILTER ALL INPUTS , Nerver trust input from user.
One of the ways is using magic quotes at server level. Another one is using the function addslashes for each input, although it's not really nice.
use mysql_escape_string function to avoid charectors for sql injection before the string
Do you need help in adding the right keywords to your CV? Let our CV writing experts help you.
