Speaking of the internet, not far - away from a website that is accessible. Berbicaara on the website, it's not far from there Yanga talks about content, how to make it, how its securities, and so on. This time will be discussed on "How to protect your website from SQL Injection attacks Attack."
SQL Injection? What is it? Yes, some of us web developers already heard this, even a web developer who is not too well know. SQL Injection is a technique of attack on a website or websites. These attacks exploit errors SQL commands sent from a web server to the database for execution by databaseserver.
In general, the SQL syntax that is often used in the process of developing or constructing a site iyalah syntax DML (Data manipualtion Language) ie, INSERT, UPDATE and DELETE. In general syntax sent like this
SQL Injection? What is it? Yes, some of us web developers already heard this, even a web developer who is not too well know. SQL Injection is a technique of attack on a website or websites. These attacks exploit errors SQL commands sent from a web server to the database for execution by databaseserver.
In general, the SQL syntax that is often used in the process of developing or constructing a site iyalah syntax DML (Data manipualtion Language) ie, INSERT, UPDATE and DELETE. In general syntax sent like this
select * from `tblBerita` where `id` = 10
10 didapat dari hasil parsing parameter url
http://www.website.com/index.php?id=10
then the writing php syntax would be like this
$SQL="select * from `tblBerita` where `id` = '".$_GET['id']."'";
the normal execution of the syntax, the database server will provide appropriate feedback results are the parameters passed. However, if we poison sent through url parameters with a special character is the single quote (') like this
http://www.website.com/index.php?id=10 '
the SQL query will not be executed and the database server will provide feedback in the form of error messages like the following
#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
why? because the SQL sent to the database is like this
select * from `tblBerita` where `id` ='10''
note after the value of 10 there are two single quote. This is what causes the error, and this is what becoming a site and loopholes easily exploited by SQL Injection method.
Well, how do we overcome this? Yes, the way is to sanitize the data sent from the url.
PHP itself has provided a special method to handle this case, which mysql_real_escape or mysql_real_escape_string. But we also can make a special method to do this, the important goal is to sanitation transmitted data.
When the method was the use of sending a SQL query syntax to the database server would be like this
$SQL="select * from `tblBerita` where `id` = '".mysql_real_escape_string($_GET['id'])."'";
and querynya will become like this when there is the addition of the single quote in url
select * from `tblBerita` where `id`='10'\'
thus, the database will only read one single quote in front of the numbers 10 and 1 single quote behind the number 10, while 1 additional single quote character behind the number 10 will be neglected because of the character of a back slash (\).
Thus a brief tutorial of me on Website Protection from SQL Injection attacks.
Thus a brief tutorial of me on Website Protection from SQL Injection attacks.
