PHP / SQL data protection – anti SQL-Injection function

SQL Injection

SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.
Injected SQL commands can alter SQL statement and compromise the security of a web application.

SQL Injection Based on 1=1 is Always True
Look at the example above, one more time.
Let’s say that the original purpose of the code was to create an SQL statement to select a user with a given user id.
If there is nothing to prevent a user from entering “wrong” input, the user can enter some “smart” input like this:

UserId:

How to protect

PHP functions

The function

//Blind SQL-INJECTION Escape sequence. Line codes anti SQL-Injection
function anti_injection($input){
$clean=strip_tags(addslashes(trim($input)));
$clean=str_replace('"','\"',$clean);
$clean=str_replace(';','\;',$clean);
$clean=str_replace('--','\--',$clean);
$clean=str_replace('+','\+',$clean);
$clean=str_replace('(','\(',$clean);
$clean=str_replace(')','\)',$clean);
$clean=str_replace('=','\=',$clean);
$clean=str_replace('>','\>',$clean);
$clean=str_replace('<','\<',$clean);
return $clean;
}

How to use

$id=$_GET['id'];
$id_clean=anti_injection($id);
PHP / SQL data protection – anti SQL-Injection function

Apache – mod_rewrite rules

Examples to configure rewrite rules in .htaccess file:
http://yourdomain.com/test

RewriteEngine On
RewriteRule ^test/?$ /testpage.php [L,NC]


Rewrite localization url with $_GET[‘lang’] variable
http://yourdomain.com/english

RewriteEngine On
RewriteRule ^(.*)/$ /$1 [R=permanent]
RewriteRule ^([a-z]{2})$ /index.php?lang=$1


Redirect 301

http://www.yourdomain.com/ to http://yourdomain.com/

RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.yourdomain\.com$ [NC]
RewriteRule ^(.*)$ http://yourdomain.com/$1 [L,R=301]
Apache – mod_rewrite rules