24 Nov 2009

Some steps to prevent PHP injection

May have many articles that discuss how to prevent PHP injection, but here I will explain more detail how its source code so that the reader is easier to implement. Of course you have not heard a word familiar PHP injection, but maybe there are some people who do not understand what is PHP Injection. PHP Injection is a term in which an intruder may break the web security by entering the PHP scripts and JavaScript into the web system through media such as News Inputan, ShutBox or via URL. To avoid these things there are some steps we can take, namely:

1. You can slightly modify the technique to execute code when the news (News). Here is a sample code:
$ dbh = mysql_connect ( 'localhost', 'username', 'password');
mysql_select_db ( 'cmsdb', $ dbh);
$SQL = “SELECT * FROM (nama_tabel) WHERE (id)= '”.$id.”'”;">$ id = mysql_real_escape_string ($ _GET [ 'id']);<> $ SQL = "SELECT * FROM (nama_tabel) WHERE (id) ='". $ id ."'";
$ result = mysql_query ($ SQL, $ dbh) OR die (mysql_error ($ dbh));
while ($ row = mysql_fetch_array ($ result, MYSQL_ASSOC)) (
$ headline = stripslashes ($ row [ 'headline']);
Echo "Headline". $ Headline;
)
Mysql_free_result ($ result);
Mysql_close ($ dbh);
">?>

2.You can perform data validation comes from the URL. Examples:
$ dbh = mysql_connect ( 'localhost', 'username', 'password');
mysql_select_db ( 'cmsdb', $ dbh);
$ id = $ _GET [ 'id'];
if (! is_numeric ($ id)) (
die ( "Do not modify the ID news");
)
$ SQL = "SELECT * FROM (nama_table) WHERE (id) = '". $ Id ."'";
$ result = mysql_query ($ SQL, $ dbh) OR die (mysql_error ($ dbh));
while ($ row = mysql_fetch_array ($ result, MYSQL_ASSOC)) (
$ headline = stripslashes ($ row [ 'headline']);
Echo "Headline". $ Headline;
)
Mysql_free_result ($ result);
Mysql_close ($ dbh);
">?>

3.Limiting long-digit user at login. Examples:
25) (
die ( 'Your user Digits excessive! Enter only between 5 to 25 digits');
)

/ / Running the query
$ SQL = "SELECT * FROM users WHERE username = '". $ Username ."'";
$ SQL .= "AND password = PASSWORD ( '$ password')";
$ result = mysql_query ($ SQL);
Mysql_close ($ dbh);
?>
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)
Web Hosting