469,326 Members | 1,331 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,326 developers. It's quick & easy.

PHP & SQL security - how to avoid a PHP hack attack?

rahulephp
Hi there,
First of all i want to let you know that, my experience with this forum is really very good.

I am new php programmer and i have intend knowledge of PHP & mysql.

Before some days, i did notice that someone was tried to hack my website using SQL injection.

If you run a content website (no e-commerce) that uses php and a mysql database, what security programming measures

can you take to ensure that someone doesn't hack / deface / erase your site and its data? i don't think that all of the host's job. what are some typical mistakes that programmers do that leave themselves to hacking? what can a programmer do on the coding end? how can we avoid a php hack attact?

I think, Things like SQL Injection are worth looking into.

can you please let me know about security with SQL injection.

Expecting good help from you & Thank you in anticipation.
Oct 5 '09 #1
2 4552
Dormilich
8,651 Expert Mod 8TB
@rahulephp
  • directly use the data coming from userland without checking
  • output system error messages*

* Ive seen error messages that contained the complete SQL code.

@rahulephp
the least you should do is escape/filter the data. currently the safest method I know is using Prepared Statements which makes SQL Injection impossible.

@rahulephp
either putting the site offline or not at all. but you can make it da** difficult for the hacker.
Oct 5 '09 #2
Atli
5,058 Expert 4TB
Hi.

THE most important thing to keep in mind when building a website is to never trust any user submitted data. Always thoroughly validate and sanitize all data before using it.
Functions like mysql_real_escape_string and the Variable handling functions are of great help with that.

You should also make sure that any dynamic content, like blog comments and such, are escaped, to prevent XSS attacks, using the htmlentities and strip_tags functions.

There are a lot of other things to consider tho, like not quoting IDs in SQL queries and to initialize variables before using them.
A quick Google search for PHP security should provide a list of the most common things to do.
Oct 5 '09 #3

Post your reply

Sign in to post your reply or Sign up for a free account.

Similar topics

12 posts views Thread by Chung Leong | last post: by
9 posts views Thread by chris | last post: by
116 posts views Thread by Mike MacSween | last post: by
9 posts views Thread by Merrill & Michele | last post: by
7 posts views Thread by Magdelin | last post: by
8 posts views Thread by Matt Kruse | last post: by
4 posts views Thread by Bjorn Sagbakken | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by zhoujie | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.