How to prevent SQL injection in PHP?

Question

Ahsan Aslam · Answer

use a php function name 'mysql_real_escape_string()' but this function will be deprecated in5.5.0 version of php.
but you can use MySQLi or PDO_MySQL for prevent the sql injection in php.

Mohammad Shalabi · Answer

Use parameterized queries

مستخدم محذوف‎ · Answer

If you maintaining a server, I would suggest you can hardened your PHP by using suhosin extensions in the project.
By default, FreeBSD is using this technology in PHP.
You can find the information on www.hardened-php.net I hope this help you

Oliver Russell · Answer

There are basically two main methods to prevent sql injection attacks.

Make a function like this

function BlockSQLInjection($str)

{

return str_replace(array(“‘”,”””,”‘”,'”‘),array(“‘”,”"”‘”,”"”,$str));

}

?>

str_replace() function will replace all characters in the string

Another method is to use prepared statement to execute sql queries.

You can also prevent php sql injection attacks by removing unused stored procedures.

Zeeshan Mohammad · Answer

You can use prepared statements.
These are sql statements that are parsed by the database server separate from the parameters so if one sends in some injected parameter value, then its effect is handled during parsing.

islam khalil · Answer

MYSQLi : Use  mysql_real_escape_string($unsafe_variable);
PDO :Use prepared statements and parameterized queries

Wali Farooqui · Answer

using PDO
$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');

$stmt->execute(array(':name' => $name));

foreach ($stmt as $row) {
    // do something with $row
}

خدمات بيت.كوم

استخدم تطبيق بيت.كوم

ابدأ بالتواصل مع الأشخاص وتبادل معارفك المهنية

How to prevent SQL injection in PHP?

عمليات البحث الشائعة

المزيد من الأسئلة المماثلة