Prevent SQL Injection protect database and website

Course- PHP Tutorial >

In the previous section we have tried to protect our website through .htaccess file. Now lets try to prevent SQL injection. But before doing that lets know what is SQL Injection and how it works.

Insertion of a SQL query via input field in client application form is know as SQL Injection. A successful injection can enter into your database and manipulate your database by adding, updating or deleting your data. 

To prevent SQL Injection you can use mysql_real_escape_string
 

$username = mysql_real_escape_string($_POST['userName']);


## Don't send any data through querystring and never use method GET in your form
## Don't use $_GET[' '] in your PHP code.
## Don't use common names in your form fields, like username, email, fname, lname etc..
## Use both small letter, capital letter and under score (_) in form field name and php variable name.

Server side and client side form validation

Use both server side and client side form validation. Before submitting your data to you must validate at list one field. You can use JavaScript for client side validation and in PHP you can do the server site validation so your form data will be more secure. And there will be less chances of inserting hacker data into your database. Also use CAPTCHA or reCAPTCHA by Google to prevent spam entry.  

Folder and file permission

You can set your file permission to 0404 or 0444, so the hacker can't access your files and edit your file content. Also you can set your folder permission to 0664, If you are providing file upload facility to your user then you can set your folder permission to 0755. 

Use a strong password

Always use strong password like the length of your password should more than 6 character,  it should content at list one upper case letter, one number and one special character. Regularly change your FTP password and database password. Never save your ftp info in FTP software, FileZilla, WS-FTP ect provide option to the users to save user name and password in the software, but never use those options, Because in that case the hacker can easily get the user name and password from your local PC.

Though you have taken all necessary action to protect your website, you can't say that your site will never be hacked. So you should take care of the following points.

Scan your Website Regularly

You must scan your site at least once a month to know if every thing is fine in your website. There are some free tools available to scan your site on-line like SiteLock and Securi Sitecheck. Those site will check your site for malware and other suspicious codes.

Backup Your Files and Database

You should backup of your website regularly so if it affected any time then you don't have to start it from the scratch. And if your website have a database then you must take the database backup everyday so there will be less chances of loosing data. Most of the host provides the option of take file and database back, if your host doesn't provide this facility then click here to know how to take database backup in through PHP.