Validating data from database php
If you missed Part 1 of PHP Security, you can check it out here Part 1 of PHP Security: User Validation and Sanitization for Beginners! We validated our data by checking if it matched the data that we wanted.
Here’s an example of a simple SQL injection: $user ID = $_POST[ ‘user_id’ ]; // This is a value of “‘ OR 1′”; $query = “SELECT * FROM users WHERE user_id = ‘$user ID'”; //output: SELECT * FROM users WHERE user_id = ” OR 1” This example shows a script that has not been secured, so the creator of the script inputtthe $_POST[ ‘user_id’ ] right into the SQL for the site.
Why do you need to validate data in the first place?
Rules can be collected through the requirements capture exercise.
PHP has a function called mysql_real_escape_string() that helps prevent injection.
Before you use this function, you should still validate all the data and sanitize it, to make sure it’s clean.
The common phrase you will have seen in PHP is to never trust “user input”.
This is one of those compartmentalising by trust value issues I mentioned.