How to Prevent SQL Injection in PHP

This wikiHow teaches you how to prevent SQL injection using Prepared Statements in PHP. SQL injection is one of the most common vulnerabilities in Web applications today. Prepared Statements use bound parameters and do not combine variables with SQL strings, making it impossible for an attacker to modify the SQL statement.

Prepared Statements combine the variable with the compiled SQL statement, so that the SQL and the variables are sent separately. The variables are then interpreted as mere strings and not part of the SQL statement. Using the methods in the steps below, you will not need to use any other SQL injection filtering techniques such as the mysql_real_escape_string().[1]

Part 1
Part 1 of 2:

Understanding SQL Injection

  1. 1
    SQL Injection is a type of vulnerability in applications that use a SQL database. The vulnerability arises when a user input is used in a SQL Statement: 
    $name = $_GET['username'];
$query = "SELECT password FROM tbl_user WHERE name = '$name' ";
  2. 2
    The value a user enters into the URL variable username will be assigned to the variable $name. It's then placed directly into the SQL statement, making it possible for the user to edit the SQL statement. 
    $name = "admin' OR 1=1 -- ";
$query = "SELECT password FROM tbl_user WHERE name = '$name' ";
    Advertisement
  3. 3
    The SQL database will then receive the SQL statement as follows: 
    SELECT password FROM tbl_users WHERE name = 'admin' OR 1=1 -- '
    • This is valid SQL, but instead of returning one password for the user, the statement will return all the passwords in the table tbl_user. This is not something you want in your web applications.
    4. Advertisement
Part 2
Part 2 of 2:

Using mySQLi to Create Prepared Statements

  1. Image titled 2542820 1
    1
    Create the mySQLi SELECT Query. Use the code below to SELECT data from a table using mySQLi Prepared Statements. 
    $name = $_GET['username'];

if ($stmt = $mysqli->prepare("SELECT password FROM tbl_users WHERE name=?")) {

    // Bind a variable to the parameter as a string. 
    $stmt->bind_param("s", $name);

    // Execute the statement.
    $stmt->execute();

    // Get the variables from the query.
    $stmt->bind_result($pass);

    // Fetch the data.
    $stmt->fetch();

    // Display the data.
    printf("Password for user %s is %s\n", $name, $pass);

    // Close the prepared statement.
    $stmt->close();

}
    • Note: The variable $mysqli is the mySQLi Connection Object.
  2. Image titled 2542820 2
    2
    Create the mySQLi INSERT Query. Use the code below to INSERT data into a table using mySQLi Prepared Statements. 
    $name = $_GET['username'];
$password = $_GET['password'];

if ($stmt = $mysqli->prepare("INSERT INTO tbl_users (name, password) VALUES (?, ?)")) {

    // Bind the variables to the parameter as strings. 
    $stmt->bind_param("ss", $name, $password);

    // Execute the statement.
    $stmt->execute();

    // Close the prepared statement.
    $stmt->close();

}
    • Note: The variable $mysqli is the mySQLi Connection Object.
  3. Image titled 2542820 3
    3
    Create the mySQLi UPDATE Query. Use the code below to UPDATE data in a table using mySQLi Prepared Statements. 
    $name = $_GET['username'];
$password = $_GET['password'];

if ($stmt = $mysqli->prepare("UPDATE tbl_users SET password = ? WHERE name = ?")) {

    // Bind the variables to the parameter as strings. 
    $stmt->bind_param("ss", $password, $name);

    // Execute the statement.
    $stmt->execute();

    // Close the prepared statement.
    $stmt->close();

}
    • Note: The variable $mysqli is the mySQLi Connection Object.
  4. Image titled 2542820 4
    4
    Create the mySQLi DELETE Query. The below script is how to DELETE data from a table using mySQLi Prepared Statements. 
    $name = $_GET['username'];
$password = $_GET['password'];

if ($stmt = $mysqli->prepare("DELETE FROM tbl_users WHERE name = ?")) {

    // Bind the variable to the parameter as a string. 
    $stmt->bind_param("s", $name);

    // Execute the statement.
    $stmt->execute();

    // Close the prepared statement.
    $stmt->close();

}
    • Note: The variable $mysqli is the mySQLi Connection Object.
    5. Advertisement

Community Q&A

  • Question
    Why use the $_GET method instead of the $_POST method?
    Community Answer
    Community Answer
    $_GET is easier to use when developing or when no user-sensitive data is being sent. Examples could include info for the generation of the webpage, or a position where the user scrolled last on the page, etc.
Advertisement

You Might Also Like

Open a PHP File
How to
Open a PHP File
Install PHPMailer
How to
Install PHPMailer
Write PHP Scripts
How to
Write PHP Scripts
Learn PHP and MySQL
How to
Learn PHP and MySQL
Create a Secure Session Management System in PHP and MySQL
How to
Create a Secure Session Management System in PHP and MySQL
Create a Calendar in PHP
How to
Create a Calendar in PHP
Advertisement

References

  1. https://www.owasp.org/index.php/SQL_Injection

About This Article

wikiHow is a “wiki,” similar to Wikipedia, which means that many of our articles are co-written by multiple authors. To create this article, 19 people, some anonymous, worked to edit and improve it over time. This article has been viewed 217,357 times.
How helpful is this?
Co-authors: 19
Updated: October 21, 2021
Views: 217,357
Categories: PHP | Software
Advertisement