Hi, I'm making litle CMS with PHP+Mysql. Can you tellme measures for prevention for SQL Injections ?

--> mysql_real_escape_string

--> Use htmlentities() for user submitted data!

when you get the id from the url:
$id = $_GET["id"];
use this:
$id = (int)$_GET["id"];

this is only when the ID is a integer!

I would suggest using a php mysql class!

using php base64_encode and php base64_decode can help as well.

never run a query on data you unsure about.

also, its a good idea to restrict the permissions of the mysql user your scripts are using, so in case someone does get in, they can't create, alter or drop tables. require an additional login before allowing those type of queries.

backup early. backup often.

commented: Great suggestions +3

when you get the id from the url:
$id = $_GET["id"];
use this:
$id = (int)$_GET["id"];

this is only when the ID is a integer!

Interesting

using php base64_encode and php base64_decode can help as well.

I had never known about that, it looks interesting. For example if I have "index.php?id=33&page=1" . What to encode? I guess "id=33&page=1" ?

When creating links use:

$id=33;
$page=1;
$link = "index.php?id=".base64_encode($id)."&page=".base64_encode($page);

Then when getting those variables:

$id = base64_decode($_GET['id']);
$page = base64_decode($_GET['page']);

hope that helps.

There is a simple rule, always treat user input an evil :)

Good

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.