2
what is the effective way to protect form against intrusion?
I use the following code to filter some types of invasion:
function anti_injection($sql)
{
$sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql);
$sql = trim($sql);
$sql = strip_tags($sql);
$sql = addslashes($sql);
return $sql;
}
$imvloginanti = anti_injection($imvlogin);
$imvsenhaanti = anti_injection($imvsenha);
How I can make security more effective?
3
Like @Marco said, using the PDO statement
Example:
$pdo = new PDO("mysql:host=mysql.seudominio.com.br;dbname=baseDeDados", "Usuario", "Senha");
$statement = $pdo->prepare("Insert into tabela values(
:valor1,
:valor2,
:valor3)");
$statement->bindParam(':valor1', $SUA_VAR_VALOR_1);
$statement->bindParam(':valor2', $SUA_VAR_VALOR_3);
$statement->bindParam(':valor3', $SUA_VAR_VALOR_2);
$statement->execute();
Browser other questions tagged php
You are not signed in. Login or sign up in order to post.
Using PDO Prepared Statement.
– Marco Aurélio Deleu
Or better yet, if DB is Mysql, use mysqli with Prepared statements + Binding. The bindings of mysqli are real and sent to the server, not simulated in the client with string concatenation as PDO does.
– Bacco
It’s not for nothing, but that function of the question there is the kind of thing of people who have no idea what they’re doing. I don’t know where you got it from, but watch out for other directions from the same source.
– Bacco
Update: I found this function in phpfreaks.com, and really the author of the post commented that he does not understand security. Then he was trading for less worse versions, and even passed close to a good one. But as it was in 2010, it was not mysqli.
– Bacco