Basic Tips to secure PHP Application Reviewed by Momizat on . Always use these tips to protect against SQL injection Validation Prepared statement limited Privilege of database user Validation You can use mysql_real_escape Always use these tips to protect against SQL injection Validation Prepared statement limited Privilege of database user Validation You can use mysql_real_escape Rating: 0

Basic Tips to secure PHP Application

Always use these tips to protect against SQL injection

  • Validation
  • Prepared statement
  • limited Privilege of database user
Validation

You can use mysql_real_escape_string() to validate the requested value.

//Example:
$uname=mysql_real_escape_string($_POST['uname']);
$upwd=mysql_real_escape_string($_POST['upwd']);
$sql="select userid from tbl_user where user_name='".$uname."' and user_pwd='".$upwd."'";
Prepared statement

It is used to run queries fast and secure.It’s defence mechanism against SQL injection attacks.

//Example:
//Here PDO class of php

$db=new PDo("mysql:host=localhost;dbname=test",'db_user','db_password');
$stmt=$db->prepare("select * from photo_gallery where photoid=:photoID");
$id=intval($_GET['id']);
$stmt->bindparam(":photoID",$id);
$stmt->execute();
echo $stmt->rowcount();
limited Privilege of database user

Provide limited privilege of database user like(select,update,execute,alter etc but don’t provide drop,truncate etc).

db

db

Always use these tips to protect against PHP code injection

  • Always use intval() to validate numeric value
    $id=intval($_GET['id']);
    
  • Don’t use eval() function use htmlspecialchar() for secure from atrackers
  • Don’t use serealize() and unsealize() for php object injection use json_encode() or json_decode()
  • Alway use token for the cross site security
    $token=sha1(uniqid(mt_random(0,100000)));
    $_SESSION['token']=$token;
    if(isset($_POST['submit']) and $_POST['token']==$_SESSION['token']){
    /*statement......*/
    }
    
  • Always use CDATA to protect the xml and javascript injection.
    <![CDATA[
    /*statements....*/
    ]]>

Comments (1)

  • Amparo

    So many interesting posts i read here, i think you can make phpshortnotes.com go
    viral easily using one tricky method. Just search in google:

    Taiyld’s Method To Go Viral

    Reply

Leave a Comment

© 2014 Powered By