Archive for the ‘MySQL’ Tag
Protect your application against SQL injections (2)
Filed under: Database, PHP, Web Security | Tags: Database, MySQL, PHP, PostgreSQL, security
Leave a Comment In part 1 we made sure that the value is an integer, but what if a value could be a string?
You have to escape special characters in a string for using in a SQL statement. This means that a single quote (‘) get a backslash before (\’).
There are escape functions for each popular database:
Protect your application against SQL injections (1)
Filed under: Database, PHP, Web Security | Tags: MySQL, PHP, PostgreSQL, security, SQL
Leave a Comment Many applications use a database to store data. Popular products are MySQL, SQLite and PostgreSQL.
A lot websites use a number called ID in the URL to get more information to a dataset like a product or a posting.
The problem of using ID’s is if they aren’t validated, bad guys and girls can spy, change or destroy your database by manipulating the SQL query.
This attack is called SQL injection.
An example to get the field “title” in the row with the value of $_GET['id']
