PHP database protection code example _ PHP Tutorial

Sample code for PHP database protection. Data loss is caused by poor database management, and there are no fewer examples of loss for you. The following code shows the sample script for running SQL statements. In this example, data loss is caused by poor database management, and there are no fewer examples of loss for you. We will talk about it this time.The following code shows the sample script for running SQL statements. In this example, SQL statements are dynamic statements that allow the same attacks. The owner of this form may think that the form is safe because they have defined the column name as a selection list. However, the code ignores the last habit of form spoofing-limiting the option to a drop-down box does not mean that others cannot publish a form containing the required content (including the asterisk [*]).

 
 

  
  
<html> 
  
  
<head> 
  
  
<title>SQL Injection Example title> 
  
  
 head> 
  
  
<body> 
  
  
<form id="myFrom" action=" " 
  
  
 method="post"> 
  
  
<p><input type="text" name="account_number" 
  
  
 value=" php echo(isset($_POST['account_number']) ? 
  
  
 $_POST['account_number'] : ''); ?>" /> 
  
  
<select name="col"> 
  
  
<option value="account_number">Account Number option> 
  
  
<option value="name">Name option> 
  
  
<option value="address">Address option> 
  
  
 select> 
  
  
<input type="submit" value="Save" name="submit" /> p> 
  
  
 form> 
  
  
 php 
  
  
if ($_POST['submit'] == 'Save') { 
  
  
 /* do the form processing */ 
  
  
 $link = mysql_connect('hostname', 'user', 'password') or 
  
  
 die ('Could not connect' . mysql_error()); 
  
  
 mysql_select_db('test', $link); 
  
  
 
  
  
 $col = $_POST['col']; 
  
  
 
  
  
 $select = "SELECT " . $col . " FROM account_data WHERE account_number = " 
  
  
 . $_POST['account_number'] . ";" ; 
  
  
 echo '<p>' . $select . ' p>'; 
  
  
 
  
  
 $result = mysql_query($select) or die('<p>' . mysql_error() . ' p>'); 
  
  
 
  
  
 echo '<table>'; 
  
  
 while ($row = mysql_fetch_assoc($result)) { 
  
  
 echo '<tr>'; 
  
  
 echo '<td>' . $row[$col] . ' td>'; 
  
  
 echo ' tr>'; 
  
  
 } 
  
  
 echo ' table>'; 
  
  
 
  
  
 mysql_close($link); 
  
  
} 
  
  
?> 
  
  
 body> 
  
  
 html> 
 
 

Therefore, to form the habit of using PHP to protect the database, avoid using dynamic SQL code as much as possible. If dynamic SQL code cannot be avoided, do not directly use the input for the column. The following shows that in addition to using static columns, you can also add a simple verification routine to the account number field to ensure that the input value is not a non-numeric value.

 
 

  
  
<html> 
  
  
<head> 
  
  
<title>SQL Injection Example title> 
  
  
 head> 
  
  
<body> 
  
  
<form id="myFrom" action=" " 
  
  
 method="post"> 
  
  
<p><input type="text" name="account_number" 
  
  
 value=" php echo(isset($_POST['account_number']) ? 
  
  
 $_POST['account_number'] : ''); ?>" /> <input type="submit" 
  
  
 value="Save" name="submit" /> p> 
  
  
 form> 
  
  
 php 
  
  
function isValidAccountNumber($number) 
  
  
{ 
  
  
 return is_numeric($number); 
  
  
} 
  
  
if ($_POST['submit'] == 'Save') { 
  
  
 
  
  
 /* Remember habit #1--validate your data! */ 
  
  
 if (isset($_POST['account_number']) & 
  
  
 isValidAccountNumber($_POST['account_number'])) { 
  
  
 
  
  
 /* do the form processing */ 
  
  
 $link = mysql_connect('hostname', 'user', 'password') or 
  
  
 die ('Could not connect' . mysql_error()); 
  
  
 mysql_select_db('test', $link); 
  
  
 
  
  
 $select = sprintf("SELECT account_number, name, address " . 
  
  
 " FROM account_data WHERE account_number = %s;", 
  
  
 mysql_real_escape_string($_POST['account_number'])); 
  
  
 echo '<p>' . $select . ' p>'; 
  
  
 $result = mysql_query($select) or die('<p>' . mysql_error() . ' p>'); 
  
  
 
  
  
 echo '<table>'; 
  
  
 while ($row = mysql_fetch_assoc($result)) { 
  
  
 echo '<tr>'; 
  
  
 echo '<td>' . $row['account_number'] . ' td>'; 
  
  
 echo '<td>' . $row['name'] . ' td>'; 
  
  
 echo '<td>' . $row['address'] . ' td>'; 
  
  
 echo ' tr>'; 
  
  
 } 
  
  
 echo ' table>'; 
  
  
 
  
  
 mysql_close($link); 
  
  
 } else { 
  
  
 echo "<span style="font-color:red">" . 
  
  
 "Please supply a valid account number! span>"; 
  
  
 
  
  
 } 
  
  
} 
  
  
?> 
  
  
 body> 
  
  
 html> 
 
 

This PHP database protection example also shows the usage of the mysql_real_escape_string () function. This function filters your input correctly, so it does not include invalid characters. If you have been dependent on magic_quotes_gpc, you must note that it has been discarded and will be deleted in PHP V6. Avoid using it from now on and write secure PHP applications in this case. In addition, if ISP is used, it is possible that magic_quotes_gpc is not enabled for your ISP.

Finally, in the improved PHP database protection example, you can see that the SQL statement and output do not include the dynamic column option. If you add columns to a table that later contains different information, you can output these columns. If you want to use the framework in combination with the database, your framework may have performed SQL verification for you. Ensure that documents are reviewed to ensure the security of the framework. if you are still unsure, verify the documents to ensure security. Other verification is required even if the framework is used for database interaction.

Bytes. The following code shows the sample script for running SQL statements. In this example...