semenjak dah mula ngajar kat kolej nie...semakin wan melupakan dunia sebenar wan...huhuhmana xnyer...x sentuh lgsg pasal programming....rindunyer....hahahah...tp 2 hari lps member masa belajar dulu ada ajak wat projek web developer...best2...so dah aktif sikit nak tgk kembali pasal php, sql n segala2 yg berkaitan....so dok explore2 pasal programming etc nie..terjumpalah satu artikel nie...quite nice!!!so wan pun copy+paste masuk dlm blog nie...mana tau kot2 ada member2 yg nak tau pasal nie...hehehehe

Protecting Your PHP/MySQL Queries from SQL Injection

SQL injection is a serious concern for webmasters, as an experienced attacker can use this hacking technique to gain access to sensitive data and/or potentially cripple your database. If you haven’t secured your applications, I implore you to get yourself familiar with the following method and grind it into your coding routine. One unsafe query can result in a nightmare for you or your client.

I’ve read through a lot of guides, and they tend to over complicate this, so I’ll be as straight forward as possible. In PHP the easiest way is to pass your data through the mysql_real_escape_string function. By escaping special characters on fields where the user can manipulate the database, you will avoid being vulnerable. Take a look below at the example of what to do and what not to do.

// This is a vulnerable query.
$query = "SELECT * FROM products WHERE name='$productname'";
mysql_query($query);
// This query is more secure
$query = sprintf("SELECT * FROM products WHERE name='%s'",
mysql_real_escape_string($productname));
mysql_query($query); 

Since I primarily code in PHP, I can’t confidently provide techniques for other programming languages. The most important part of protecting yourself is stopping users from being able to pass unaltered database manipulative special characters, like single quotes.