QL injection je napad gdje se problematični kod šalje SQL serveru na izvršavanje. Napad može rezultirati neautoriziranim pristupom povjerljivih podataka ili uništenjem podataka.
Before you try to read the methods below, realize that this should only be a concern for PHP developers and the like. If you are using a database driven program (e.g. WordPress, Joomla, OSCommerce), then all you need to do is upgrade your programs to the latest version available.
Metode za spriječavanje SQL injection
Escaping
One way to prevent injections is to escape dangerous characters (i.e. backslash, apostrophe and semicolon). In PHP, it is typical to escape the input using the function mysql_real_escape_string before sending the SQL query. Example:
$Pword = mysql_real_escape_string($Pword);
$query = "SELECT * FROM Users where UserName='$Uname' and Password='$Pword'";
mysql_query($query);
Parameterized statements
A parameterized query uses placeholders for the input, and the parameter values are supplied at execution time.
$sql = 'INSERT INTO Users (UserName, Password) VALUES (?, ?)';
$query = sqlsrv_query($connection, $sql, $params);
Advanced: In PHP version 5 and above, there are multiple choices for using parameterized statements; the PDO database layer is one of them. There are also vendor-specific methods; for example, MySQL 4.1 + used with the mysqli extension.
