How to prevent SQL injection in PHP?

Author Topic: How to prevent SQL injection in PHP?  (Read 3169 times)

Offline Hi-Tech ITOTopic starter

  • Trade Count: (0)
  • Semi-Newbie
  • *
  • Thank You 0
  • Posts: 10
  • Karma: 0
  • Gender: Male
How to prevent SQL injection in PHP?
« on: 05-06-2013, 04:50:51 »


If user input is inserted into an SQL query directly, the application becomes vulnerable to SQL injection, like in the following example:

$unsafe_variable = $_POST['user_input'];

mysql_query("INSERT INTO table (column) VALUES ('" . $unsafe_variable . "')");

That's because the user can input something like value'); DROP TABLE table;--, making the query:

INSERT INTO table (column) VALUES('value'); DROP TABLE table;--')

What should one do to prevent this?


Offline vinacle

  • Trade Count: (0)
  • Semi-Newbie
  • *
  • Thank You 2
  • Posts: 27
  • Karma: 0
  • Gender: Male
  • Vinacle Solutions - Think it Click it Get it
    • Vinacle Solutions
Re: How to prevent SQL injection in PHP?
« Reply #1 on: 05-13-2013, 13:13:38 »
You've got two options - escaping the special characters in your unsafe_variable, or using a parameterized query. Both would protect you from SQL injection. The parameterized query is considered the better practice.

Offline johncruz

  • Trade Count: (0)
  • Newbie
  • *
  • Thank You 0
  • Posts: 8
  • Karma: 0
  • Gender: Male
Re: How to prevent SQL injection in PHP?
« Reply #2 on: 05-13-2013, 23:20:39 »
You can use prepared statements and parameterized queries. It is considered the best practice.

Offline kiash001

  • Trade Count: (0)
  • Semi-Newbie
  • *
  • Thank You 0
  • Posts: 21
  • Karma: 0
  • Gender: Male
    • programming and designing
Re: How to prevent SQL injection in PHP?
« Reply #3 on: 07-28-2013, 02:36:52 »
You can use mysql_real_escape_string() to prevent from sql injection. I but recommend you to use PDO (PHP data object). It's better than mysql or mysqli.

Offline CMRaper

  • Trade Count: (0)
  • Semi-Newbie
  • *
  • Thank You 0
  • Posts: 31
  • Karma: 0
  • Gender: Male
    • Engineering and Technology Blog
Re: How to prevent SQL injection in PHP?
« Reply #4 on: 10-28-2013, 19:59:08 »
Like what other said, use prepared statements and AND AND

1. Sanitize all user inputs before processing them (using mysqli_real_escape_string is good)
2. Initialize variables ($data = "")
3. Verify user inputs by comparing it to a white lists criteria (if(strlen($data)==5))


Offline Luca tall

  • Trade Count: (0)
  • Jr. Member
  • **
  • Thank You 3
  • Posts: 53
  • Karma: 0
  • Gender: Male
    • PHP Training in Chennai
Re: How to prevent SQL injection in PHP?
« Reply #5 on: 01-15-2014, 22:31:43 »
SQl injection is a type of vulnerability in web applications that use an SQL database. SO to prevent SQL injection we can use "mysql_real_escape_string()"

Offline Kasi Viswanathan

  • Trade Count: (0)
  • Semi-Newbie
  • *
  • Thank You 4
  • Posts: 30
  • Karma: 0
  • Gender: Male
    • Best SEO Ideas
Re: How to prevent SQL injection in PHP?
« Reply #6 on: 01-19-2014, 04:46:26 »
Very Best answer with my PHP programmatic language skill,

Use this below function before you give input to the database

<?php
//use this function to clean values going into mysql
function mysql_prep($value)
{
$magic_quotes_active = get_magic_quotes_gpc();//boolean - true if the quotes thing is turned on
$new_enough_php = function_exists("mysql_real_escape_string");//boolean - true if the function exists (php 4.3 or higher)
if($new_enough_php)
{
if($magic_quotes_active)
{
$value = stripslashes($value);//if its a new version of php but has the quotes thing running, then strip the slashes it puts in
}
$value = mysql_real_escape_string($value);//if its a new version use the function to deal with characters
}
else
if(!$magic_quotes_active)//If its an old version, and the magic quotes are off use the addslashes function
{
$value = addslashes($value);
}
return $value;
}
?>

It will check the older version and also newer version PHP processor depends upon it's act and avoid mysql injection. Hope this would help you.

 

Related Topics

  Subject / Started by Replies Last post
2 Replies
2621 Views
Last post 06-05-2010, 09:34:39
by ryosuzuki
2 Replies
1977 Views
Last post 06-01-2016, 05:35:41
by Victorvictories
0 Replies
742 Views
Last post 12-30-2015, 03:56:05
by chinmay.sahoo
1 Replies
732 Views
Last post 05-13-2016, 03:09:42
by TomClarke