SQL Injection

Tweet SQL Injection is a technique of attacking the security of database by alternating the SQL statements through the input fields. SQL Injection happens when we place the user input data directly to the SQL query without filtering it for the dangers string. If not the hackers will steal your data from database or chances for add, edit or delete the data even the database also.

Certain SQL servers like Microsoft SQL server have stored procedure to prevent from hacking through SQL Injection. Below i will show you the simple SQL Injection query.

Imagine you have a table called users, where you have data for login function. Now here is the login check script to check the username and password in the log in process to compare the input field values and back end values.

$username=$_POST[‘username’];
$password =$_POST[‘password];
$sql=”select * from users WHERE username=$username AND password=$password”; 

Now the hackers will type the below query in the text box.

123 or 1=1 and in password field 123 or 1=1

1=1 will always get satisfied and the query will get executed.

How to prevent SQL injection:

1.Avoid dynamic query.
2.Don’t pass your input field directly to the query.

Before putting the input values to the SQL query make sure you have filtered the dangers character from that string. You can use add slash function or real escape string function.
For e.g.:

$username=$_POST[‘username’];
$filter=mysql_real_escape_string($username);

By using this as practice while writing the code we can avoid SQL injection and secure our date and database.