Wednesday, 15 June 2016

Prevent SQL Injection Attack

00:34


(1)mysqli_real_escape_string()  :

The   mysqli_real_escape_string()   function escapes
special characters in a string for use in an SQL statement.

Syntax :

mysqli_real_escape_string(connection,escapestring);
connection :                  Required. Specifies the MySQL connection to use
escapestring:         
Required. The string to be escaped.
Characters  encoded are NUL (ASCII 0), \n, \r, \, ', ", and Control-Z.

Example :

<?php

$con=mysql_connect("localhost","root","");

// Check connection
if (!$con) {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

// escape variables for security
$firstname = mysql_real_escape_string($con, $_POST['firstname']);
$lastname = mysql_real_escape_string($con, $_POST['lastname']);
$age = mysql_real_escape_string($con, $_POST['age']);

$sql="INSERT INTO Persons (FirstName, LastName, Age)
VALUES ('$firstname', '$lastname', '$age')";

if (!mysqli_query($con,$sql)) {
  die( mysql_error());
}
echo "1 record added";


?>



(2)stripslashes()  :

The  stripslashes()   function removes backslashes added by the addslashes()   function.

Tip: This function can be used to clean up data retrieved from a database or from an HTML form.

Syntax :
stripslashes(string)

String :  Required. Specifies the string to check

Example   :

<!DOCTYPE html>
<html>
<body>

<?php
echo stripslashes("Who\'s Peter Griffin?");
?>

</body>
</html>



(3)addcslashes():

The addcslashes() function returns a string with backslashes in front of the specified characters.

Note: The addcslashes() function is case-sensitive.

Note: Be careful using addcslashes() on 0 (NULL), r (carriage return), n (newline), f (form feed), t (tab) and v (vertical tab). In PHP, \0, \r, \n, \t, \f and \v are predefined escape sequences.

Syntax :
addcslashes(string,characters)

string:        Required. Specifies the string to be escaped
characters:  Required. Specifies the characters or range of characters to be escaped


 EXAMPLE:

<?php
$str = addcslashes("Hello World!","W");
echo($str);
?>


EXAMPLE:

<!DOCTYPE html>
<html>
<body>

<?php
$str = "Welcome to my humble Homepage!";
echo $str."<br>";
echo addcslashes($str,'A..Z')."<br>";
echo addcslashes($str,'a..z')."<br>";
echo addcslashes($str,'a..g');
?>

</body>
</html>

OUTPUT:
Welcome to my humble Homepage!
\Welcome to my humble \Homepage!
W\e\l\c\o\m\e \t\o \m\y \h\u\m\b\l\e H\o\m\e\p\a\g\e!

W\el\com\e to my hum\bl\e Hom\ep\a\g\e!



(4)trim() : 


The trim() function removes whitespace and other predefined characters from both sides of a string.


Example:

<?php
$str = "Hello World!";
echo $str . "<br>";
echo trim($str,"Hed!");
?>
output:

Hello World!
llo Worl



(5)htmlspecialchars():


The htmlspecialchars function in PHP is used to convert 5 characters into corresponding HTML entities where applicable. It is used to encode user input on a website so that users cannot insert harmful HTML codes into a site.

The htmlspecialchars() function converts some predefined characters to HTML entities.
The predefined characters are:
  • & (ampersand) becomes &amp;
  • " (double quote) becomes &quot;
  • ' (single quote) becomes &#039;
  • < (less than) becomes &lt;
  • > (greater than) becomes &gt;

EXAMPLE:

<?php
$str = "Jane & 'Tarzan'";
echo htmlspecialchars($str, ENT_COMPAT); // Will only convert double quotesecho "<br>";
echo htmlspecialchars($str, ENT_QUOTES); // Converts double and single quotesecho "<br>";
echo htmlspecialchars($str, ENT_NOQUOTES); // Does not convert any quotes
?>

OUTPUT:

Jane & 'Tarzan'
Jane & 'Tarzan'
Jane & 'Tarzan'



================================================================================================================================================
From   Validation   to   Prevent   SQL   Injection   Attack  :
<html>
  <head>
      <style>
         .error {color: #FF0000;}
      </style>
   </head>
  
   <body>
      <?php
         // define variables and set to empty values
         $nameErr = $emailErr = $genderErr = $websiteErr = "";
         $name = $email = $gender = $class = $course = $subject = "";
        
         if ($_SERVER["REQUEST_METHOD"] == "POST") {
            if (empty($_POST["name"])) {
               $nameErr = "Name is required";
            }
            else
            {
               $name = test_input($_POST["name"]);
            }
           
            if (empty($_POST["email"])) {
               $emailErr = "Email is required";
            }
            else
            {
               $email = test_input($_POST["email"]);
              
               // check if e-mail address is well-formed
               if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
                  $emailErr = "Invalid email format";
               }
            }
           
            if (empty($_POST["course"])) {
               $course = "";
            }
            else
            {
               $course = test_input($_POST["course"]);
            }
           
            if (empty($_POST["class"])) {
               $class = "";
            }
            else
            {
               $class = test_input($_POST["class"]);
            }
           
            if (empty($_POST["gender"])) {
               $genderErr = "Gender is required";
            }
            else
            {
               $gender = test_input($_POST["gender"]);
            }
           
            if (empty($_POST["subject"])) {
               $subjectErr = "You must select 1 or more";
            }
            else
            {
               $subject = $_POST["subject"];   
            }
         }
        
         function test_input($data) {
            $data = trim($data);
            $data = stripslashes($data);
            $data = htmlspecialchars($data);
            return $data;
         }
      ?>
                               
      <h2>Absolute classes registration</h2>
     
      <p><span class="error">* required field.</span></p>
     
      <form method="POST" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
         <table>
            <tr>
               <td>Name:</td>
               <td><input type="text" name="name">
                  <span class="error">* <?php echo $nameErr;?></span>
               </td>
            </tr>
           
            <tr>
               <td>E-mail: </td>
               <td><input type="text" name="email">
                  <span class="error">* <?php echo $emailErr;?></span>
               </td>
            </tr>
           
            <tr>
               <td>Time:</td>
               <td> <input type="text" name="course">
                  <span class="error"><?php echo $websiteErr;?></span>
               </td>
            </tr>
           
            <tr>
               <td>Classes:</td>
               <td> <textarea name="class" rows="5" cols="40"></textarea></td>
            </tr>
           
            <tr>
               <td>Gender:</td>
               <td>
                  <input type="radio" name="gender" value="female">Female
                  <input type="radio" name="gender" value="male">Male
                  <span class="error">* <?php echo $genderErr;?></span>
               </td>
            </tr>
           
            <tr>
               <td>Select:</td>
               <td>
                  <select name="subject[]" size="4" multiple>
                     <option value="Android">Android</option>
                     <option value="Java">Java</option>
                     <option value="C#">C#</option>
                     <option value="Data Base">Data Base</option>
                     <option value="Hadoop">Hadoop</option>
                     <option value="VB script">VB script</option>
                  </select>
               </td>
            </tr>
           
            <tr>
               <td>Agree</td>
               <td><input type="checkbox" name="checked" value="1"></td>
               <?php if(!isset($_POST['checked'])){ ?>
               <span class="error">* <?php echo "You must agree to terms";?></span>
               <?php } ?>
            </tr>
           
            <tr>
               <td>
                  <input type="submit" name="submit" value="Submit">
               </td>
            </tr>
           
         </table>
      </form>
     
      <?php
         echo "<h2>Your given values are as :</h2>";
         echo ("<p>Your name is $name</p>");
         echo ("<p> your email address is $email</p>");
         echo ("<p>Your class time at $course</p>");
         echo ("<p>your class info $class </p>");
         echo ("<p>your gender is $gender</p>");
        
         for($i=0; $i < count($subject); $i++)
         {
            echo($subject[$i] . " ");
         }
      ?>
 </body>

</html>

Written by

We are Creative Blogger Theme Wavers which provides user friendly, effective and easy to use themes. Each support has free and providing HD support screen casting.

1 comments:

  1. Good article! There is a great need for more in-depth reviews of certain products and technologies. Your tips are really helpful for anybody who wants to create reviews of any type. Great job. Thanks for sharing! web designing jalandhar

    ReplyDelete

PHP Training Mumbai, PHP MySQL Training Mumbai, PHP Course Mumbai, PHP Institute Mumbai

 

© 2013 PHP TRAINING IN MUMBAI BY OM SIR . All rights resevered. Designed by OM SIR

Back To Top