Latest Work

Duo Fantasio

Duo Fantasio is a wedding planner agency, always up to date with the latest trends in flower arrangements and decorations for the wedding. To convince yourself please visit the photo gallery and services page and even get an estimate of your wedding cost.

view project

JR Jewelers

JR Jewelers has a new exciting design. The site has also undergone intensive reconstruction to provide an experience that is all together very attractive and more user friendly for customers. The site is easier to navigate, and purchasing items from the store has been made simpler.

view project

Watch our latest work

Fresh Info

  • We are searching for talented PHP developers to join our team at Freshbyte. More details on benefits and responsibilities in the dedicated Careers section.January 7, 2012
  • We are searching for talented ColdFusion developers to join our team at Freshbyte. More details on benefits and responsibilities in the dedicated Careers sectionJanuary 6, 2012
  • We are searching for talented Drupal developers to join our team at Freshbyte. More details on benefits and responsibilities in the dedicated Careers section.January 6, 2012
  • We are searching for talented PHP and ColdFusion developers to join our team at Freshbyte. More details on benefits and responsibilities in the dedicated Careers section.October 25, 2011
  • Fresh Website Launch! Incredibly Edible Delites provides freshly cut fruit or vegetables that look just like floral bouquets. A creative alternative to traditional flowers, delicious!June 6, 2011
  • view all news

Articles

January 3, 2010 How to avoid SQL Injection attacks?

What is SQL Injection?

SQL injection is an attack to the database of dynamic websites and not only. A very pervasive and unsecured database can be exposed to these attacks on the application level.

A simple example of this kind of an attack is the login form. One can inject an SQL code that can alter data in the database or extract private and precious information.

If we try to log on to an account with the username "vasile", but instead of "vasile" we write "vasile';DROP TABLE users; SELECT * FROM data WHERE 't' = 't", how will the SQL command form itself in the database?

SELECT * FROM users WHERE name = 'vasile';DROP TABLE utilizatori; SELECT * FROM DATA WHERE 'x' = 'x';

The consequence? Where is that Users table? Inevitably the answer is: Gone!

How do we protect the database?

  • It is advisable to use users with limited privileges. We should not connect as super-users or any other user that can manipulate more databases that the one we are interested in.
  • You should user validation functions for forms, from the most simple type of validation, like variables, to regular expressions.
  • For the numeric input we should call/use the function "is numeric()".
  • For number type values we can use the "string escape" function, as it is used in a certain SGBD.
  • You must not display information that is typical for the database, like the scheme.
  • You should avoid the possibility of introducing characters like: colon, semi-colon, slash, backslash, dot or comma, characters like NULL or new line etc. in any of the input strings for users, URL parameters and cookie values.
inapoi sus