Robot Portal

Easily manage all aspects of your account | Knowledgebase |

Knowledgebase

SQL injection, insertion!

SQL injection is an attack where malicious code is passed to an SQL Server for execution. The attack can result in unauthorized access to confidential data, or destruction of critical data.

Before you try to read the methods below, realize that this should only be a concern for PHP developers and the like. If you are using a database driven program (e.g. WordPress, Joomla, OSCommerce), then all you need to do is upgrade your programs to the latest version available.

Methods to prevent SQL injection

Escaping

One way to prevent injections is to escape dangerous characters (i.e. backslash, apostrophe and semicolon). In PHP, it is typical to escape the input using the function mysql_real_escape_string before sending the SQL query. Example:

$Uname = mysql_real_escape_string($Uname);
$Pword = mysql_real_escape_string($Pword);
$query = "SELECT * FROM Users where UserName='$Uname' and Password='$Pword'";
mysql_query($query);

Parameterized statements

A parameterized query uses placeholders for the input, and the parameter values are supplied at execution time.

$params = array($Uname, $Pword);
$sql = 'INSERT INTO Users (UserName, Password) VALUES (?, ?)';
$query = sqlsrv_query($connection, $sql, $params);

Advanced: In PHP version 5 and above, there are multiple choices for using parameterized statements; the PDO database layer is one of them. There are also vendor-specific methods; for example, MySQL 4.1 + used with the mysqli extension.

  • 64 Users Found This Useful

Was this answer helpful?

Related Articles

My Joomla has been hacked!

A Joomla is usually compromised when it or its components / modules are outdated. Another very...

What happens to someone abusing system resources?

The offending site will be suspended and the owner will be given an opportunity to fix the...

How to submit a DMCA complaint?

Reporting copyright infringement? You must follow these steps before submitting any information...

My account was hacked!

If you are the victim of a hacker you can mail to our support department and our experts will...

How to handle the Google Attack Page?

When you see the dreaded Google attack site warning, you should immediately email : hostmaster...

  Tag Cloud

Born in 2004 ... Trusted By Clients n' Experts

SEO Stars

They never made me feel silly for asking questions. Help me understand how to attract more people and improve my search engine ranking.

Read More

Emily Schneller Manager at Sabre Inc
SEO Stars

Took advantage of Hostseo's superb tech support and I must say, it is a very perfect one. It is very fast, servers reliability is incredible.

Read More

Leena Mäkinen Creative producer
SEO Stars

We're operating a worldwide network of servers with high quality standards requirements, we’ve choose hostseo to be our perfect partner.

Read More

Ziff Davis CEO at Mashable
SEO Stars

It’s very comfortable to know I can rely about all technical issues on Hostseo and mostly that my website and emails are safe and secured here.

Read More

Isaac H. Entrepreneur
SEO Stars

With hostseo as a hosting partner we are more flexible and save money due to the better packages with great pricing, free SEO n' free SSL too!

Read More

Madeline E. Internet Professional