How to protect your site from local file inclusion and SQL injection in PHP?

Question

How to protect your site from local file inclusion and SQL injection in PHP?

How do you protect your site from local file inclusion and SQL injection (PHP)?

+3

php sql-injection

Language Jan 16 '09 at 19:27

source share

7 answers

Sampson · Answer 1 · 2009-01-16T19:31:10+0000

There are many measures that need to be taken. Be sure to clear all input before storing in the database. I suggest using mysql_real_escape_string () for all the data that will be saved. Limit character input to reasonable lengths and make sure that you get the TYPE of data that you expect for this field. Block multiple attempts to send specific data areas. Scan the contents of downloaded files looking for malicious patterns.

Wikibooks SQL Injection;

http://en.wikibooks.org/wiki/Programming:PHP:SQL_Injection

. , .

Kornel · Answer 2 · 2009-01-16T22:10:15+0000

SQL (. PDO::prepare()) (PDO::quote()).

(, : preg_replace('/[^a-z]/','',$str)) ( , ..)

I.devries · Answer 3 · 2009-01-16T19:33:27+0000

http://php.net/manual/en/security.php

phatduckk · Answer 4 · 2009-01-16T21:33:13+0000

SQL- PDO (http://us3.php.net/pdo). .., , .

, , , mysql_real_escape_string()

Rob · Answer 5 · 2009-05-26T02:04:43+0000

" ", , include() , , , CMS ? , , SQL- - .

, , , , . , , :

, ., .. / ( \ Windows)
-
include

PHP . open_basedir, , " " PHP, ( PHP 6.0), .

tj111 · Answer 6 · 2009-01-16T21:53:07+0000

, mysql\_real\_escape\_string() SQL. DB SQL, sanitize(). sanitize , .

/**
* Sanitize variable for querying
*
* @param mixed $var         The variable to sanitize
* @param bool $deep         Will inspect the string deeper, converting 'null' to NULL and adding '' around strings
* @param mixed $numstrings  Whether or not to treat numbers as strings (ie add quotes)
* @return $var
*/
function sanitize($var, $deep = true, $numstrings = false) {
    if (is_array($var)) {   //run each array item through this function (by reference)
        foreach ($var as $key=>$val) {
        $var[$key] = sanitize($val, $deep, $numstrings);
        }
    }
    else if (is_null($var) || ( $deep && preg_match('/^null$/i', $var) > 0 ) ) {   //convert null variables to SQL NULL
        $var = "NULL";
    }
    else if (is_bool($var)) {   //convert boolean variables to binary boolean
        $var = ($var) ? 1 : 0;
    }
    else if ($numstrings && is_string($var)) {
        $var = mysql_real_escape_string($var);
        if ($quotes) {
        $var = "'". $var ."'";
        }
    }
    else if (!is_numeric($var)) { //clean strings
        $var = mysql_real_escape_string($var);
        if ($deep) {
        $var = "'". $var ."'";
        }
    }
    return $var;
}

" ", . , .

, '.ht' . Apache , ".ht". , Apache (.htaccess,.htpasswd ..).

, , ( , ). .htaccess, ( PHP).

#this is all you need in the file
Order Allow , Deny
Deny from all

Paresh patel · Answer 7 · 2012-08-25T13:50:09+0000

to avoid SQL injection, encrypt your password before sending

How to protect your site from local file inclusion and SQL injection in PHP?

More articles: