Preventing SQL Injection In PHP

Rating: 4.0. From 1 vote.
Please wait...

SQL Injection is one of the commonly faced problems by most of the applications on the internet today.
SQL Injection is a way by which database query can be controlled can result in compromise of confidentiality.

We have received lots of comments by our young developers who are willing to know how they can prevent SQL Injection.
So Today PHPHurdles is here with an interesting as well as a crucial topic for the security of web applications, Preventing SQL Injections In PHP

Before moving ahead with the tutorial we should know what SQL Injection is, it is a way used by programmers to execute their SQL statements within your application and access your database data.

Let us take an example, we have a sign in form with two fields username and password and query regarding this will be like

1
"SELECT * FROM members WHERE username=".$_POST['username']."AND password=".$_POST['password];

This query will look for a matching member with same username and password in database table which is perfectly fine till the time attacker is not modifying the query with his input
let say if we are submitting the form regarding this query our input will be like

username:deepak
password:my password

But if a programmer wants to inject this query he can use
username:deepak
password: mypassword’; DROP TABLE ‘members’

which can drop the table members and we don’t want to execute this type of query in our database.

So we will learn how we can prevent SQL Injection In PHP in this tutorial
To save our database from all such Injections we should write our queries in a proper way, In older versions of PHP we would use mysql_real_escape_string().

1
"SELECT * FROM `members` WHERE `username` = '".mysql_real_escape_string($_POST["username"])."' AND `password` = '".mysql_real_escape_string($_POST["password"])."'";

and now the query is Injection free

1
SELECT * FROM `members` WHERE `email` = 'deepak' AND `password` = 'mypassword\'; DROP TABLE \'members'

we can see that data is now escaped and DROP TABLE query will not be executed separately but will be considered as a part of the password string.

With new versions of PHP we can use PDO and prepared queries
Prepare function is used for securing SQL queries and saving them from SQL Injection.

1
2
3
4
$stmt = $conn->prepare("SELECT * FROM `members` WHERE `username`=:usernameAND `password` = :password");
$stmt->bindValue(':username', $_POST["username"]);
$stmt->bindValue(':password', $_POST["password"]);
$stmt->execute();

This is how we can easily escape our queries from SQL Injections which are great vulnerabilities for our applications.So this is it from this tutorial, you can comment us or can mail us for more tutorials

You can also read our tutorial UNDERSTANDING SQL JOINS USING PHP on SQL joins.

Hope this tutorial will help our mates, so guys enjoy your work
Because Hurdles aren’t really Hurdles

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *