Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

piece of php code for prevent hacking

I have a php file at my site, and I connect to db, get some records and list them in same file.

mysql_connect("localhost", "blabla", "blabla") or die(mysql_error());
mysql_select_db("blabla") or die(mysql_error());

$blabla1 = mysql_query("SELECT * FROM gallery WHERE id_cat=1");
$blabla2 = mysql_query("SELECT * FROM gallery WHERE id_cat=2");
$blabla3 = mysql_query("SELECT * FROM gallery WHERE id_cat=3");

So, is there anything I need to do for security? Like sql-injection or anything else. there is nothing going to url. It is just www.blabla.com/gallery.php.

like image 217
designer-trying-coding Avatar asked Apr 16 '10 08:04

designer-trying-coding


People also ask

Can I use PHP for hacking?

Web Hacking Techniques: Hypertext Preprocessor or PHP is a server-side programming language used to build websites. Understanding PHP will help hackers understand web hacking techniques better. Server-Side Scripting: PHP is used in server-side scripting.

How secure is PHP code?

PHP is as secure as any other major language. PHP is as secure as any major server-side language. With the new PHP frameworks and tools introduced over the last few years, it is now easier than ever to manage top-notch security.

What methods are used to prevent hacking?

Using secure passwords is the most important way to prevent network intrusions. The more secure your passwords are, the harder it is for a hacker to invade your system. More secure often means longer and more complex.

Which method is secure for securing data in PHP?

The open_basedir function allows you to limit the files that PHP can access in your filesystem. If you set the open_basedir function to the root of your project, this means it can only access files in the root of your project and downward.


1 Answers

This snippet is perfectly safe, because there are no variables put into the query string.

To work safely in case you have to deal with variables one day - be they directly coming in from the user, or from another data source - you may want to switch over to a mySQL library that supports parametrized queries, like PDO. Those eliminate the danger of injections completely, because they take care of escaping the incoming data automatically.

If you stick with the mysql_* functions, make sure you escape all incoming any data using mysql_real_escape_string() and ensure they are inserted within a pair of single quotes.

like image 56
Pekka Avatar answered Sep 20 '22 01:09

Pekka