Avoid SQL Injection with a simple trick

SQL injection

SQL Injection is a hack that manages to play with our database through forms. Let's say the hacker tricks the forms so that they execute unexpected actions in our database. With this method, you can delete our database completely, assign administrator rights to a certain user or remove access to our own website. Also, if our page is a store, the hacker could have access to addresses and bank accounts, something really dangerous.

There are many ingenious ways to avoid the dreaded SQL Injection, however there is one foolproof method so far. This is a relatively new PHP function that extracts from a text string any function that exists in MYSQL, that is, before sending the form data to the database, it checks that there is no MYSQL function in that data, which makes this foolproof function for the moment.

The function to use is:

mysql_real_escape_string();

To use it, simply insert the text string to be analyzed inside the parenthesis. For example: uterine

$_POST['usuario']=mysql_real_escape_string($_POST['usuario']);
$_POST['nombre']=mysql_real_escape_string($_POST['nombre']);
$_POST['apellido']=mysql_real_escape_string($_POST['apellido']);
$_POST['email']=mysql_real_escape_string($_POST['email']);

Learn more | Zebra Form: Special PHP library for forms


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.