Tag: sql

MSSQL, PHP

How to prevent sql injection using PHP and SQL Server

Let’s see how we can prevent sql injection attacks in our applications when we are using PHP and Microsoft SQL Server: 1. Use prepared statements – sqlsrv_prepare. 2. Use parameterized queries – PDO. 3. Use stored procedures – mssql_execute. 4. Validate User Input – preg_match. 5. Escape user input – addslashes,  str_replace or preg_replace quotes. …

Databases, MySQL

Retrieve useful information from MySQL

Today we will see how can we retrieve various information from mysql server using SQL queries. Get all users: SELECT * FROM mysql.user;select * from mysql.user; Get top 10 tables in size: SELECT concat(table_schema,’.’,TABLE_NAME) TABLE_NAME, concat(round(data_length/(1024*1024),2),’M’) data_length FROM information_schema.TABLES ORDER BY data_length DESC LIMIT 10;SELECT concat(table_schema,’.’,table_name) table_name, concat(round(data_length/(1024*1024),2),’M’) data_length FROM information_schema.TABLES ORDER BY data_length DESC …

PHP

Preventing MySQL Injection in PHP

Security issues like MySQL injection can only be corrected by using two functions mysql_real_escape_string (php manual) and stripslashes (php manual).   Example: $safe_string = mysql_real_escape_string(stripslashes($tainted_string));$safe_string = mysql_real_escape_string(stripslashes($tainted_string));   To make your life a little easier just create a suitable function for this line of code: function checkString($value) {       return mysql_real_escape_string(stripslashes($value));   }function checkString($value) …