Hello Readers! this is a small blog on Mysql injection, hope you like it.

Mysql Injection:

MySQL injection is a code injection technique, used to attack data-driven applications, in which harmful SQL statements are inserted into an entry field for execution. SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered  or user input is not strongly typed and unexpectedly executed.

SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

SQL injection attacks allow attackers to malicious(fake) identity, altering or damaging  the existing data,  voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data  and become administrators of the database server. 

Preventing SQL Injection:

All escape characters can be handled in scripting languages like PERL and PHP. To escape MySQL special input characters mysql_real_escape_string() function is provided by MySQL extension for PHP.

if (get_magic_quotes_gpc())
{
  $name = stripslashes($name);
}
$name = mysql_real_escape_string($name);
mysql_query("SELECT * FROM users WHERE name='{$name}'");

The LIKE Quandary:

To use the LIKE , you can convert user-supplied % and _ characters to literals. Use addcslashes(), a function that in which you can specify a character range to escape.

$sub = addcslashes(mysql_real_escape_string("%something_"), "%_");


mysql_query("SELECT * FROM messages WHERE subject LIKE '{$sub}%'");