Prevent SQL Injection Attack

(1)mysqli_real_escape_string()  :

The   mysqli_real_escape_string()   function escapes
special characters in a string for use in an SQL statement.

Syntax :

mysqli_real_escape_string(connection,escapestring);
connection :                  Required. Specifies the MySQL connection to use
escapestring:         
Required. The string to be escaped.
Characters  encoded are NUL (ASCII 0), \n, \r, \, ', ", and Control-Z.

Example :

<?php

$con=mysql_connect("localhost","root","");

// Check connection
if (!$con) {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

// escape variables for security
$firstname = mysql_real_escape_string($con, $_POST['firstname']);
$lastname = mysql_real_escape_string($con, $_POST['lastname']);
$age = mysql_real_escape_string($con, $_POST['age']);

$sql="INSERT INTO Persons (FirstName, LastName, Age)
VALUES ('$firstname', '$lastname', '$age')";

if (!mysqli_query($con,$sql)) {
  die( mysql_error());
}
echo "1 record added";


?>



(2)stripslashes()  :

The  stripslashes()   function removes backslashes added by theaddslashes()   function.

Tip: This function can be used to clean up data retrieved from a database or from an HTML form.

Syntax :
stripslashes(string)

String :  Required. Specifies the string to check

Example   :

<!DOCTYPE html>
<html>
<body>

<?php
echo stripslashes("Who\'s Peter Griffin?");
?>

</body>
</html>



(3)addcslashes():

The addcslashes() function returns a string with backslashes in front of the specified characters.

Note: The addcslashes() function is case-sensitive.

Note: Be careful using addcslashes() on 0 (NULL), r (carriage return), n (newline), f (form feed), t (tab) and v (vertical tab). In PHP, \0, \r, \n, \t, \f and \v are predefined escape sequences.

Syntax :
addcslashes(string,characters)

string:        Required. Specifies the string to be escaped
characters:  Required. Specifies the characters or range of characters to be escaped


 EXAMPLE:

<?php
$str = addcslashes("Hello World!","W");
echo($str);
?>


EXAMPLE:

<!DOCTYPE html>
<html>
<body>

<?php
$str = "Welcome to my humble Homepage!";
echo $str."<br>";
echo addcslashes($str,'A..Z')."<br>";
echo addcslashes($str,'a..z')."<br>";
echo addcslashes($str,'a..g');
?>

</body>
</html>

OUTPUT:
Welcome to my humble Homepage!
\Welcome to my humble \Homepage!
W\e\l\c\o\m\e \t\o \m\y \h\u\m\b\l\e H\o\m\e\p\a\g\e!

W\el\com\e to my hum\bl\e Hom\ep\a\g\e!



(4)Trim() : 


The trim() function removes whitespace and other predefined characters from both sides of a string.


Example:

<?php
$str = "Hello World!";
echo $str . "<br>";
echo trim($str,"Hed!");
?>
output:

Hello World!
llo Worl



(5)Htmlspecialchars():


The htmlspecialchars function in PHP is used to convert 5 characters into corresponding HTML entities where applicable. It is used to encode user input on a website so that users cannot insert harmful HTML codes into a site.

The htmlspecialchars() function converts some predefined characters to HTML entities.
The predefined characters are:
  • & (ampersand) becomes &amp;
  • " (double quote) becomes &quot;
  • ' (single quote) becomes &#039;
  • < (less than) becomes &lt;
  • > (greater than) becomes &gt;

EXAMPLE:

<?php
$str = "Jane & 'Tarzan'";
echo htmlspecialchars($str, ENT_COMPAT); // Will only convert double quotesecho "<br>";
echo htmlspecialchars($str, ENT_QUOTES); // Converts double and single quotesecho "<br>";
echo htmlspecialchars($str, ENT_NOQUOTES); // Does not convert any quotes
?>

OUTPUT:

Jane & 'Tarzan'
Jane & 'Tarzan'
Jane & 'Tarzan'


================================================================================================================================================
From   Validation   to   Prevent   SQL   Injection   Attack  :
<html>
  <head>
      <style>
         .error {color: #FF0000;}
      </style>
   </head>
  
   <body>
      <?php
         // define variables and set to empty values
         $nameErr = $emailErr = $genderErr = $websiteErr = "";
         $name = $email = $gender = $class = $course = $subject = "";
        
         if ($_SERVER["REQUEST_METHOD"] == "POST") {
            if (empty($_POST["name"])) {
               $nameErr = "Name is required";
            }
            else
            {
               $name = test_input($_POST["name"]);
            }
           
            if (empty($_POST["email"])) {
               $emailErr = "Email is required";
            }
            else
            {
               $email = test_input($_POST["email"]);
              
               // check if e-mail address is well-formed
               if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
                  $emailErr = "Invalid email format";
               }
            }
           
            if (empty($_POST["course"])) {
               $course = "";
            }
            else
            {
               $course = test_input($_POST["course"]);
            }
           
            if (empty($_POST["class"])) {
               $class = "";
            }
            else
            {
               $class = test_input($_POST["class"]);
            }
           
            if (empty($_POST["gender"])) {
               $genderErr = "Gender is required";
            }
            else
            {
               $gender = test_input($_POST["gender"]);
            }
           
            if (empty($_POST["subject"])) {
               $subjectErr = "You must select 1 or more";
            }
            else
            {
               $subject = $_POST["subject"];   
            }
         }
        
         function test_input($data) {
            $data = trim($data);
            $data = stripslashes($data);
            $data = htmlspecialchars($data);
            return $data;
         }
      ?>
                               
      <h2>Absolute classes registration</h2>
     
      <p><span class="error">* required field.</span></p>
     
      <form method="POST" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
         <table>
            <tr>
               <td>Name:</td>
               <td><input type="text" name="name">
                  <span class="error">* <?php echo $nameErr;?></span>
               </td>
            </tr>
           
            <tr>
               <td>E-mail: </td>
               <td><input type="text" name="email">
                  <span class="error">* <?php echo $emailErr;?></span>
               </td>
            </tr>
           
            <tr>
               <td>Time:</td>
               <td> <input type="text" name="course">
                  <span class="error"><?php echo $websiteErr;?></span>
               </td>
            </tr>
           
            <tr>
               <td>Classes:</td>
               <td> <textarea name="class" rows="5" cols="40"></textarea></td>
            </tr>
           
            <tr>
               <td>Gender:</td>
               <td>
                  <input type="radio" name="gender" value="female">Female
                  <input type="radio" name="gender" value="male">Male
                  <span class="error">* <?php echo $genderErr;?></span>
               </td>
            </tr>
           
            <tr>
               <td>Select:</td>
               <td>
                  <select name="subject[]" size="4" multiple>
                     <option value="Android">Android</option>
                     <option value="Java">Java</option>
                     <option value="C#">C#</option>
                     <option value="Data Base">Data Base</option>
                     <option value="Hadoop">Hadoop</option>
                     <option value="VB script">VB script</option>
                  </select>
               </td>
            </tr>
           
            <tr>
               <td>Agree</td>
               <td><input type="checkbox" name="checked" value="1"></td>
               <?php if(!isset($_POST['checked'])){ ?>
               <span class="error">* <?php echo "You must agree to terms";?></span>
               <?php } ?>
            </tr>
           
            <tr>
               <td>
                  <input type="submit" name="submit" value="Submit">
               </td>
            </tr>
           
         </table>
      </form>
     
      <?php
         echo "<h2>Your given values are as :</h2>";
         echo ("<p>Your name is $name</p>");
         echo ("<p> your email address is $email</p>");
         echo ("<p>Your class time at $course</p>");
         echo ("<p>your class info $class </p>");
         echo ("<p>your gender is $gender</p>");
        
         for($i=0; $i < count($subject); $i++)
         {
            echo($subject[$i] . " ");
         }
      ?>
 </body>
</html>

Comments

Post a Comment

Popular posts from this blog

Query to get concurrent Program details with Parameter list and value set attached to parameter.

Image
Query : SELECT fcpt.user_concurrent_program_name,   fcp.concurrent_program_name,   fcp.concurrent_program_id,   fav.application_short_name,   fav.application_name,   fav.application_id,   fdfcuv.column_seq_num,   fdfcuv.end_user_column_name,   fdfcuv.form_left_prompt prompt,   ffvs.flex_value_set_name,   fdfcuv.enabled_flag,   fdfcuv.required_flag,   fdfcuv.display_flag FROM apps.fnd_concurrent_programs fcp,   apps.fnd_concurrent_programs_tl fcpt,   apps.fnd_descr_flex_col_usage_vl fdfcuv,   apps.fnd_application_vl fav,   apps.fnd_flex_value_sets ffvs WHERE fcp.concurrent_program_id       = fcpt.concurrent_program_id AND fav.application_id                = fcp.application_id AND fcpt.language                     = 'US' AND ffvs.flex_value_set_id           ...
Read more

Japan Style: Architecture Interiors Design

Image
Enter the world of the stylish Japanese house, where every object in sight is a work of art. Japan Style introduces 20 special residences. With more than 200 color photographs, this book showcases the stunning beauty of old homes, and reveals how they are cared for by their owners. Traditional Japanese homes, with superbly crafted fine wood, great workmanship and seasonal interior arrangements, have an aesthetic of infinite simplicity. Unlike Japanese inns and historical buildings, the houses featured in this book are private property and are not open to public viewing. Japan Style offers a rare glimpse into the intimate world of the everyday Japanese and fascinating insight into the traditional architecture of Japan download link http://libgen.io/_ads/E7F3D5D3E376CB1E116D00AFC8E89AC4 .
Read more

AR and OM link in oracle apps / AR transaction and Sales Order join query

SELECT rcta.customer_trx_id, rcta.trx_number, rcta.trx_date, ac.customer_name, rctla.line_number inv_line_number, rctla.unit_selling_price inv_unit_selling_price, ooha.header_id, ooha.order_number, oola.line_number so_line_number, oola.line_id, oola.ordered_item, oola.ordered_quantity * oola.unit_selling_price so_amount FROM apps.ra_customer_trx_all rcta, apps.ra_customer_trx_lines_all rctla, apps.ar_customers ac, apps.oe_order_headers_all ooha, apps.oe_order_lines_all oola WHERE 1 = 1 AND rcta.customer_trx_id = rctla.customer_trx_id AND rcta.bill_to_customer_id = ac.customer_id AND ooha.header_id = oola.header_id AND rctla.interface_line_attribute6 = TO_CHAR(oola.line_id) AND rctla.interface_line_attribute1 = TO_CHAR(ooha.order_number) AND rcta.trx_number = nvl(:p_trx_number,rcta.trx_number) AND ooha.order_number = nvl(:p_order_number,ooha.order_number);
Read more