Judul : Prevent SQL Injection Attack
link : Prevent SQL Injection Attack
Prevent SQL Injection Attack
(1)mysqli_real_escape_string() :
The mysqli_real_escape_string() function escapes
special characters in a string for use in an SQL statement.
Syntax :
mysqli_real_escape_string(connection,escapestring);
connection : Required. Specifies the MySQL connection to use
escapestring:
Required. The string to be escaped.
Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and Control-Z.
Example :
<?php
$con=mysql_connect("localhost","root","");
// Check connection
if (!$con) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
// escape variables for security
$firstname = mysql_real_escape_string($con, $_POST['firstname']);
$lastname = mysql_real_escape_string($con, $_POST['lastname']);
$age = mysql_real_escape_string($con, $_POST['age']);
$sql="INSERT INTO Persons (FirstName, LastName, Age)
VALUES ('$firstname', '$lastname', '$age')";
if (!mysqli_query($con,$sql)) {
die( mysql_error());
}
echo "1 record added";
?>
(2)stripslashes() :
The stripslashes() function removes backslashes added by the addslashes() function.
Tip: This function can be used to clean up data retrieved from a database or from an HTML form.
Syntax :
stripslashes(string)
String : Required. Specifies the string to check
Example :
<!DOCTYPE html>
<html>
<body>
<?php
echo stripslashes("Who\'s Peter Griffin?");
?>
</body>
</html>
(3)addcslashes():
The addcslashes() function returns a string with backslashes in front of the specified characters.
Note: The addcslashes() function is case-sensitive.
Note: Be careful using addcslashes() on 0 (NULL), r (carriage return), n (newline), f (form feed), t (tab) and v (vertical tab). In PHP, \0, \r, \n, \t, \f and \v are predefined escape sequences.
Syntax :
addcslashes(string,characters)
string: Required. Specifies the string to be escaped
characters: Required. Specifies the characters or range of characters to be escaped
EXAMPLE:
<?php
$str = addcslashes("Hello World!","W");
echo($str);
?>
EXAMPLE:
<!DOCTYPE html>
<html>
<body>
<?php
$str = "Welcome to my humble Homepage!";
echo $str."<br>";
echo addcslashes($str,'A..Z')."<br>";
echo addcslashes($str,'a..z')."<br>";
echo addcslashes($str,'a..g');
?>
</body>
</html>
OUTPUT:
Welcome to my humble Homepage!
\Welcome to my humble \Homepage!
W\e\l\c\o\m\e \t\o \m\y \h\u\m\b\l\e H\o\m\e\p\a\g\e!
W\el\com\e to my hum\bl\e Hom\ep\a\g\e!
(4)trim() :
The trim() function removes whitespace and other predefined characters from both sides of a string.
Example:
<?php
$str = "Hello World!";
echo $str . "<br>";
echo trim($str,"Hed!");
?>
$str = "Hello World!";
echo $str . "<br>";
echo trim($str,"Hed!");
?>
output:
Hello World!
llo Worl
llo Worl
(5)htmlspecialchars():
The htmlspecialchars function in PHP is used to convert 5 characters into corresponding HTML entities where applicable. It is used to encode user input on a website so that users cannot insert harmful HTML codes into a site.
The htmlspecialchars() function converts some predefined characters to HTML entities.
The predefined characters are:
- & (ampersand) becomes &
- " (double quote) becomes "
- ' (single quote) becomes '
- < (less than) becomes <
- > (greater than) becomes >
EXAMPLE:
<?php
$str = "Jane & 'Tarzan'";
echo htmlspecialchars($str, ENT_COMPAT); // Will only convert double quotesecho "<br>";
echo htmlspecialchars($str, ENT_QUOTES); // Converts double and single quotesecho "<br>";
echo htmlspecialchars($str, ENT_NOQUOTES); // Does not convert any quotes
?>
$str = "Jane & 'Tarzan'";
echo htmlspecialchars($str, ENT_COMPAT); // Will only convert double quotesecho "<br>";
echo htmlspecialchars($str, ENT_QUOTES); // Converts double and single quotesecho "<br>";
echo htmlspecialchars($str, ENT_NOQUOTES); // Does not convert any quotes
?>
OUTPUT:
Jane & 'Tarzan'
Jane & 'Tarzan'
Jane & 'Tarzan'
================================================================================================================================================
Jane & 'Tarzan'
Jane & 'Tarzan'
================================================================================================================================================
From Validation to Prevent SQL Injection Attack :
<html>
<head>
<style>
.error {color: #FF0000;}
</style>
</head>
<body>
<?php
// define variables and set to empty values
$nameErr = $emailErr = $genderErr = $websiteErr = "";
$name = $email = $gender = $class = $course = $subject = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (empty($_POST["name"])) {
$nameErr = "Name is required";
}
else
{
$name = test_input($_POST["name"]);
}
if (empty($_POST["email"])) {
$emailErr = "Email is required";
}
else
{
$email = test_input($_POST["email"]);
// check if e-mail address is well-formed
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$emailErr = "Invalid email format";
}
}
if (empty($_POST["course"])) {
$course = "";
}
else
{
$course = test_input($_POST["course"]);
}
if (empty($_POST["class"])) {
$class = "";
}
else
{
$class = test_input($_POST["class"]);
}
if (empty($_POST["gender"])) {
$genderErr = "Gender is required";
}
else
{
$gender = test_input($_POST["gender"]);
}
if (empty($_POST["subject"])) {
$subjectErr = "You must select 1 or more";
}
else
{
$subject = $_POST["subject"];
}
}
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
?>
<h2>Absolute classes registration</h2>
<p><span class="error">* required field.</span></p>
<form method="POST" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
<table>
<tr>
<td>Name:</td>
<td><input type="text" name="name">
<span class="error">* <?php echo $nameErr;?></span>
</td>
</tr>
<tr>
<td>E-mail: </td>
<td><input type="text" name="email">
<span class="error">* <?php echo $emailErr;?></span>
</td>
</tr>
<tr>
<td>Time:</td>
<td> <input type="text" name="course">
<span class="error"><?php echo $websiteErr;?></span>
</td>
</tr>
<tr>
<td>Classes:</td>
<td> <textarea name="class" rows="5" cols="40"></textarea></td>
</tr>
<tr>
<td>Gender:</td>
<td>
<input type="radio" name="gender" value="female">Female
<input type="radio" name="gender" value="male">Male
<span class="error">* <?php echo $genderErr;?></span>
</td>
</tr>
<tr>
<td>Select:</td>
<td>
<select name="subject[]" size="4" multiple>
<option value="Android">Android</option>
<option value="Java">Java</option>
<option value="C#">C#</option>
<option value="Data Base">Data Base</option>
<option value="Hadoop">Hadoop</option>
<option value="VB script">VB script</option>
</select>
</td>
</tr>
<tr>
<td>Agree</td>
<td><input type="checkbox" name="checked" value="1"></td>
<?php if(!isset($_POST['checked'])){ ?>
<span class="error">* <?php echo "You must agree to terms";?></span>
<?php } ?>
</tr>
<tr>
<td>
<input type="submit" name="submit" value="Submit">
</td>
</tr>
</table>
</form>
<?php
echo "<h2>Your given values are as :</h2>";
echo ("<p>Your name is $name</p>");
echo ("<p> your email address is $email</p>");
echo ("<p>Your class time at $course</p>");
echo ("<p>your class info $class </p>");
echo ("<p>your gender is $gender</p>");
for($i=0; $i < count($subject); $i++)
{
echo($subject[$i] . " ");
}
?>
</body>
</html>
Demikianlah Artikel Prevent SQL Injection Attack
Sekianlah artikel Prevent SQL Injection Attack kali ini, mudah-mudahan bisa memberi manfaat untuk anda semua. baiklah, sampai jumpa di postingan artikel lainnya.
Anda sekarang membaca artikel Prevent SQL Injection Attack dengan alamat link https://othereffect.blogspot.com/2016/06/prevent-sql-injection-attack.html
0 Response to "Prevent SQL Injection Attack"
Post a Comment