Home > Database > mysql > How to prevent php website from sql injection

How to prevent php website from sql injection

Hi friends,

In this post, i would like to explain what is sql injection and how to prevent from this attacks to our website.

SQL Injection:

SQL injection is another vulnerability of PHP.  SQL injection refers to the act of anyone can inserting a MySQL statement to be run on our database without our knowledge. Injection usually occurs when you ask a user for input, like their name, and instead of a name they give you a MySQL statement that you will unknowingly run on your database.

Example :

MYSQL Query :

$username = ‘Anil’;

$query = “select * from users where username =’$username'”;

It will run successfully.

If we use a bad username like : $username=”OR 1”

Normal Query : select * from users where username =’Anil’ ;

Injected Query : select * from users where username= ”OR 1”;

Here quote() is treated as end of that query , its like

username = ”

after that add   OR 1

OR 1 means it is always true, so that we can get all information without knowing of username also, same problem with delete query also.

To prevent these injections always use mysql_real_escape_string() or addslashes().

if (get_magic_quotes_gpc()) {
$name = stripslashes($name);
$name = mysql_real_escape_string($name);

select * from users where username= ‘$name’;

Now we can prevent the website from SQL Injection.

10 Responses

  1. Great to see you’re checking for “get_magic_quotes_gpc()”. I sometimes tend to forget that while it can be quite important.

    Don’t forget that SQL injection doesn’t just cover MySQL, it’s something that can occur on usage of any database server.

  2. I think these is best for Prevent SQL Injection

    function makeEncode($sql)
    $sql = preg_replace(sql_regcase(“/(from|select|insert|delete|where|drop table|like|show tables|\’|’\| |=|-|;|,|\|’||#|\*|–|\\\\)/”), “” ,$sql);
    $sql = trim($sql);
    $sql = strip_tags($sql);
    $sql = (get_magic_quotes_gpc()) ? stripslashes($sql) : mysql_real_escape_string($sql);
    $sql = htmlentities($sql);
    return $sql;

  3. Pingback : Test Now: Is Your Web Site Or Web Application Vulnerable To SQL Injection Attacks? | Aafrin.com

  4. Pingback : Είναι το web site σας ασφαλές σε SQL Injection επιθέσεις; « Web Resources

  5. Pingback : SQL Injection: How To Prevent Security Flaws In PHP / MySQL

  6. Tim Zappa

    >SQL injection is another vulnerability of PHP.

    As polite as I can possibly say it… You are an idiot! PHP/SQL works exactly as it should. It is the incompetent and inexperienced programmers that create these security holes.

  7. This isn’t only a PHP issue, or a particular database issue, but every language and every database is vulnerable, as well as other storage technologies like XML/XPath.

    Magic quotes and strip slashes can help mitigate the risk, but using parametrized queries will stop every way of injecting. I would re-write the code to:

    $query= “select * from users where username=?”; //query definition
    $preparedStatement=$database_connection()->prepare($query); //prepare the statement
    mysqli_stmt_bind_param($preparedStatement, ‘s’, $field1); //prepare to bind a Strings (the s)
    $field1 = $name; //you may want to do more input checking here!
    mysqli_stmt_execute($preparedStatement); //execute the parametrized query

    I have a very in depth article on the same

  8. As per my knowledge every programming language faces such kind of attacks..but the major thing is as php is a loosly typed language..so the attacking is some what severe…but as the new versions are keep on releasing all the flaws are being overcome in the lastest versions..As i have written something about SQL Injections in my blog also with some extra information..can find here..http://phphunger.blogspot.in/2012/06/how-to-prevent-php-code-from-sql.html

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.