Hi, I'm making litle CMS with PHP+Mysql. Can you tellme measures for prevention for SQL Injections ?
ultras1 0 Newbie Poster
smartness -3 Junior Poster
--> Use htmlentities() for user submitted data!
when you get the id from the url:
$id = $_GET["id"];
use this:
$id = (int)$_GET["id"];
this is only when the ID is a integer!
I would suggest using a php mysql class!
kylegetson 16 Junior Poster in Training
using php base64_encode and php base64_decode can help as well.
never run a query on data you unsure about.
also, its a good idea to restrict the permissions of the mysql user your scripts are using, so in case someone does get in, they can't create, alter or drop tables. require an additional login before allowing those type of queries.
backup early. backup often.
darkagn commented: Great suggestions +3
ultras1 0 Newbie Poster
when you get the id from the url:
$id = $_GET["id"];
use this:
$id = (int)$_GET["id"];this is only when the ID is a integer!
Interesting
using php base64_encode and php base64_decode can help as well.
I had never known about that, it looks interesting. For example if I have "index.php?id=33&page=1" . What to encode? I guess "id=33&page=1" ?
kylegetson 16 Junior Poster in Training
When creating links use:
$id=33;
$page=1;
$link = "index.php?id=".base64_encode($id)."&page=".base64_encode($page);Then when getting those variables:
$id = base64_decode($_GET['id']);
$page = base64_decode($_GET['page']);hope that helps.
mwasif 10 Posting Whiz
There is a simple rule, always treat user input an evil :)
koldex 0 Newbie Poster
Good
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.