Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
not a programming expert, but to counter attack SQL injection you should filter the input.
For example if your asking for telephone number, then filter special characters like *, /, \, $, #, , alphabets etc...
Then same thing goes for any input field, allow the characters that is needed and deny or filter other characters that is not expected as part of the data that will be collected to process the input data.
You definitely should use prepared statements and bound-parameters in all cases, even though the PHP language does not make this particularly easy to do.
You should never, ever "build" an SQL statement in which anything supplied by the user is "textually inserted." Instead, you should prepare a statement that consists of a literal string hard-coded in the source code of the program, which statement includes "placeholders ('?')" corresponding to each variable parameter which the statement expects to receive. You bind the appropriate values for each placeholder, each time you execute the prepared statement ... which only need be prepared once. The SQL statement, itself, is fixed and unchanging within your program.
I frankly never quite understood why the PHP language makes the construction and execution of parameterized SQL queries so difficult. In other languages, you simply provide the parameters as an array-valued parameter to "execute." The designers of PHP did things acceptably well in most cases, but they rather-curiously fumbled the ball on this one.
Last edited by sundialsvcs; 11-27-2015 at 08:15 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.