preventing-sql-injection

Easy Tip To Prevent SQL Injections

PHP Vulnerabilities 

if your working with PHP in your website then you have to also take into account security by looking for vulnerabilities within your website. Today I am going to be showing a small tip that will make it harder for the hacker to retrieve the table name in your database through the $_GET attribute. This won’t completely prevent it from happening but it will make it a whole lot harder to find what they are looking for.

sql_inject
Use protection! (against SQL INJECTION)

How can we prevent this from happening? 

We can prevent them from getting any table names from the $_GET attribute by accommodating it with false variables within the code. We want to make the code look realistic and we want to make a ton of false variables to throw off the hackers. Again this won’t prevent it completely just a way to make it harder for them to get the table names which will lead to SQL injections.

Create two pages category.php & shop.php

first let’s say this is our $_GET Code on our category page for a shop. category.php

 

Next we will create the shop page which will be a page for users to select the category page variable. shop.php

NOTE: YOU SHOULD ALREADY HAVE A RECORDSET SETUP IN DREAMWEAVER WITH YOUR CONNECTION TO YOUR DATABASE.

 

Focus on line 11 and the values associated with it. Now this line is basically telling the script to throw false variables into the url along with the real variable to confuse the hackers. The only value being retrieved by the database is the &val which will tell the categories.php page what to display. As you can see &val=’.$row[‘r_id’].’ which is retrieved from the database in order to be used to display different content on the next page based on the codes response.

The false variables such as &id=2375463278 &fac=F12_23433276435 are all made up numbers and you can make them any numbers and variables. The main goal of this is to throw an assortment of false variables into the mix and hide the database table &val=.$row[‘r_id’] so that it will throw hackers off from finding the database table. hacker

Retrieving the values

Okay now we use the value of &val by using $_GET attribute to retrieve it. So we can do something like this to display the content based on the result of the value of &val.

 

The code above is just showing you how you could develop a shop page using the $_GET attribute and how the code works. The whole code I made isn’t necessary I was just showing you an idea of what can be done with this.

Basically this is the code you want to be using. 

 

Now you can have an extra layer of security against SQL injections by manipulating the URL.

If you have any questions please ask them below. Thank you for reading! (Hopefully I didn’t confuse you with the extra stuff I did… I got off track 😉 )

 

Rate this article:

[yasr_visitor_votes size=”medium”]

 

 

  • George Garey

    If you have a question leave me a comment here!