TIPS TO PREVENT SQL INJECTION

Believe it or not if it is more difficult to secure web than destroy the layout or damage the database from the web. The rise of defacement and hacking who carried out by some people who due to system misconfiguration or lack of knowledge of the webmaster is still often performed.
1. Prevention of SQL Injection, SQL Injection instance syntax:


' or 1=1--
The attack by this technique is doing assault against the database. To take precautions against SQL Injection, the first as we know the character (?), (-), (NULL), ( x00), ( n), ( r), (?), (/), (/ x1a) is the source of the problem of SQL, he tips of his escape all special characters to php / mysql.
mysql_real_escape_string. Or the second way that filters all incoming characters and only allows characters in inputkan ttt interchangeable. That needs to be remembered, Sql injection is not only able to enter through the input of the user but can also be via a URL with the help character (;) the meaning of that character is? Row behind; will participate in the execution?. It is suggested, ignore all characters after the URL address. Example scripts which limit the characters that can be entered:
function validatepassword( input )
good_password_chars =
“abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ”
validatepassword = true
for i = 1 to len( input )
c = mid( input, i, 1 )
if ( InStr( good_password_chars, c ) = 0 ) then
validatepassword = false
exit function
end if
next
end function
2. Prevention of XSS (Cross Side Scripting), examples of XSS script:
Cookie theft are frequently made ??through this technique. With this XSS flaws found then the user can run the script through the form, guest book or URL. Although changes can be done only when a cookie is stolen clien but another matter … ..! So to prevent XSS is to Convert <and> to be lt; and gt; and beginning with the character & (it means the replacement value of <and> tags within the HTML) and filter all the input from the user.
3. HTML Tag entry.
Usual way is mostly done through the guest book. In this way one can add a display in accordance with their wishes. From some experience, usually the web master to prevent this by adding a certain character at the beginning of the characters <or>. But the function to prevent the HTML tags is now provided directly by the PHP so we just stay put (htmlspecialchars).
Sample script:
function cleanup($value=””, $preserve=””, $tag=””) {
if (empty($preserve)) {
$value=strip_tags($value, $allowed_tags);
}
$value=htmlspecialchars($value);
return $value;
}
4. Limit the use of Java Script and do not use java script to create something that would arise of life and death of your website, because the java script is the client and make the access to be very slow. It is recommended to use another application such as PHP and ASP because it is the server.
5. Storage database files should be stored within a private directory. Never store it in the public directory which allows others can access it. But usually in the web hosting is providing a special directory for the database. In database security must be protected with a password. Connections should be encrypted with SSL. The data is important but should not be stored directly as a hash (md5) or the modification of the md5 SHA-256 and SHA-512 or encrypted with other programming languages ??such as PHP.


6. Be very careful choosing webhosting, it has a lot to prove. No matter how great the web is made although the password  check is made two times and in how kalipun when it’s encrypted servers are attacked we can not do anything.

Comments