CodingForums.com - View Single Post

XterM · 11-23-2011, 09:35 AM

hey, this is nice post.

i have a simple way to prevent sql injection attact. usually, hacker test if sql vulnerable by adding a single or doble quote in input variable. like this:

?id=1' or ?id=1"

so, i remove any quote in all variable. i use str_replace().

i see why hacker do to attack sqlinjection vulnerability. like this:

?id=1+order+by+1--
?id=1+union+select+1,2,3--

so, i remove the +,-,%20,*.

i feel this is just little trick, but this so helpfull to prevent sql injection attact :-)

11-23-2011, 09:35 AM	PM User \| #20
XterM New Coder Join Date: Jul 2011 Location: Kediri - Indonesia Posts: 61 Thanks: 2 Thanked 19 Times in 19 Posts	hey, this is nice post. i have a simple way to prevent sql injection attact. usually, hacker test if sql vulnerable by adding a single or doble quote in input variable. like this: ?id=1' or ?id=1" so, i remove any quote in all variable. i use str_replace(). i see why hacker do to attack sqlinjection vulnerability. like this: ?id=1+order+by+1-- ?id=1+union+select+1,2,3-- so, i remove the +,-,%20,*. i feel this is just little trick, but this so helpfull to prevent sql injection attact :-) __________________ I am sorry my english is very bad. But I am very interest to discusse here :-)