How to prevent php website from sql injection

Hi friends,

In this post, i would like to explain what is sql injection and how to prevent from this attacks to our website.

SQL Injection:

SQL injection is another vulnerability of PHP.  SQL injection refers to the act of anyone can inserting a MySQL statement to be run on our database without our knowledge. Injection usually occurs when you ask a user for input, like their name, and instead of a name they give you a MySQL statement that you will unknowingly run on your database.

Example :

MYSQL Query :

$username = ‘Anil’;

$query = “select * from users where username =’$username'”;

It will run successfully.

If we use a bad username like : $username=”OR 1”

Normal Query : select * from users where username =’Anil’ ;

Injected Query : select * from users where username= ”OR 1”;

Here quote() is treated as end of that query , its like

username = ”

after that add   OR 1

OR 1 means it is always true, so that we can get all information without knowing of username also, same problem with delete query also.

To prevent these injections always use mysql_real_escape_string() or addslashes().

if (get_magic_quotes_gpc()) {
$name = stripslashes($name);
}
$name = mysql_real_escape_string($name);

select * from users where username= ‘$name’;

Now we can prevent the website from SQL Injection.

Anil Kumar Panigrahi

With more than 10 years experience in PHP and Founder of Anil Labs, a blog for PHP and related posts. contributed posts regarding CodeIgniter, CakePHP and Learn PHP online ... Contact : [email protected]

You may also like...

10 Responses

  1. PHPGangsta says:

    Perhaps it’s also a good tip to use prepared statements, that prevents SQL Injection, too.

  2. Great to see you’re checking for “get_magic_quotes_gpc()”. I sometimes tend to forget that while it can be quite important.

    Don’t forget that SQL injection doesn’t just cover MySQL, it’s something that can occur on usage of any database server.

  3. Nayan Paul says:

    I think these is best for Prevent SQL Injection

    function makeEncode($sql)
    {
    $sql = preg_replace(sql_regcase(“/(from|select|insert|delete|where|drop table|like|show tables|\’|’\| |=|-|;|,|\|’||#|\*|–|\\\\)/”), “” ,$sql);
    $sql = trim($sql);
    $sql = strip_tags($sql);
    $sql = (get_magic_quotes_gpc()) ? stripslashes($sql) : mysql_real_escape_string($sql);
    $sql = htmlentities($sql);
    return $sql;
    }

  4. Tim Zappa says:

    >SQL injection is another vulnerability of PHP.

    As polite as I can possibly say it… You are an idiot! PHP/SQL works exactly as it should. It is the incompetent and inexperienced programmers that create these security holes.

  5. Charlie B says:

    This isn’t only a PHP issue, or a particular database issue, but every language and every database is vulnerable, as well as other storage technologies like XML/XPath.

    Magic quotes and strip slashes can help mitigate the risk, but using parametrized queries will stop every way of injecting. I would re-write the code to:

    $query= “select * from users where username=?”; //query definition
    $preparedStatement=$database_connection()->prepare($query); //prepare the statement
    mysqli_stmt_bind_param($preparedStatement, ‘s’, $field1); //prepare to bind a Strings (the s)
    $field1 = $name; //you may want to do more input checking here!
    mysqli_stmt_execute($preparedStatement); //execute the parametrized query

    I have a very in depth article on the same
    https://www.golemtechnologies.com/articles/prevent-sql-injection-attacks

  6. phphunger says:

    As per my knowledge every programming language faces such kind of attacks..but the major thing is as php is a loosly typed language..so the attacking is some what severe…but as the new versions are keep on releasing all the flaws are being overcome in the lastest versions..As i have written something about SQL Injections in my blog also with some extra information..can find here..http://phphunger.blogspot.in/2012/06/how-to-prevent-php-code-from-sql.html

  7. Rahul says:

    Great information about SQL injection

Leave a Reply

Your email address will not be published. Required fields are marked *