I am new to databases and security.
I am planning to put up a website.
I've read that sql-injection vulnerabilities can be very dangerous since the server might leak user passwords and credit-card information.
Are there any steps that I need to follow to prevent SQL injection vulnerabilities?
I was going through a wiki on sql-injection, but I didn't understood the following query:
SELECT * FROM users WHERE name = '" + userName + "';
2 Answers 2
you better use prepared statement from your programming source code, e.g. for PHP use PDO's prepare statement!
Check this - https://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php
I used a private function that vetted all the parameters passed into my services (Models in today's parlance). In a large application you might as well make it a 'global' function that all your scripts/models access when you're accepting any parameters from your frontend
eg
private function protectMySQL($myParam)
{
$myParam = stripslashes($myParam);
$myParam = mysql_real_escape_string($myParam);
return $myParam;
}
and then in each function
public function setMonthlyData($companyID, $userID, $resultArr)
{
require_once("vo/Object.php");
$myResponseObj = new Object();
$myCompanyID = $this -> protectMySQL($companyID); //vet $companyID
$myUserID = $this -> protectMySQL($userID); //vet $userID
//.....etc
//execute query using parameters
//then return the result
}