Start networking and exchanging professional insights

Register now or log in to join your professional community.

Follow

How to prevent SQL injection in PHP?

user-image
Question added by Hamzeh Abu Zakham , Director of Software Development , bayt.com
Date Posted: 2013/04/13
Deleted user
by Deleted user

Here's an article that explains basics of SQL injection and provides methods to prevent injection using an example: http://www.thegeekstuff.com/2012/02/sql-injection-attacks.
I hope this helps!

Rani Alomari
by Rani Alomari , Full Stack .Net Developer , Jordan Center for Diseases Control (JCDC)

السلام عليكم كيف تحمي موقعك من الانجكشن ؟ تجربة سنوات طوال اعطيك ملخصها ببساطة اولا قم بتحميل البرنامج الشهير التالي الذي من خلاله تستطيع معرفة هل صفحتك بها ثغرة اس كيو ال انجيكشين http://www.4shared.com/zip/Fuk6IAp0/Havij_115.html هذا البرنامج يستخدمه الهاكرز لاستغلال ثغرة الانجيكشين ثانيا : دعنا ناخذ المثال التالي select some_fields from some_table where id=$_GET['parameter'] هذا الكود به ثغرة الانجيكشين اذا كتبته بالطريقة التالية يتوقف الانجيكشين select some_fields from some_table where id='$_GET['parameter']' وغير هيك جربت كل الطرق ما زبطت سوى هاي الطريقة وهي ان تضع الباراميتر بين الاشارتين التاليتين ''

islam khalil
by islam khalil , Technical Manager , iCloudit

A common practice in PHP is to escape parameters using the function called mysql_real_escape_string() , Also , Very Important to note this some attacker use encoded characters to attack , keep in your mind to set certain length for your query string

Ahmed Sadek
by Ahmed Sadek , Oracle DBA , Egyptian International Motors

you can use mysql_real_escape_string() and make sure that you encrypt the passwords before inserting them into the database as you know there are many types of encryption like md5,sha1,hash but im sure there are decrypting softwares available on the web for the md5 if you want high security use the salt encryption technique, Hope you find that useful.
Ahmed Sadek.

Ammar Abu Qoura
by Ammar Abu Qoura , Senior Project Manager , Yadonia Group

one way is to use mysql_real_escape_string but this will not protect your code if you have a dynamic sql statement that allow to select from any table

Deleted user
by Deleted user

You've got two options - escaping the special characters in your variable that receives the input , or using a parameterized query using PDO or something else: http://php.net/manual/en/book.pdo.php

Hazem Salama
by Hazem Salama , Senior Member of Technical Staff , Verizon Communications

One way is to stop using any SQL code in your front-end and exclusively use stored procedures for all database access, provided of course that your database system supports them

Rajesh kumar
by Rajesh kumar , Web Developer , ONS Interactive Solutions Pvt Ltd

We know that, this problem has been known for a while and PHP has a specially-made function to prevent these attacks.
All you need to do is use the mouthful of a function mysql_real_escape_string.
What mysql_real_escape_string does is take a string that is going to be used in a MySQL query and return the same string with all SQL Injection attempts safely escaped.
Basically, it will replace those troublesome quotes(') a user might enter with a MySQL-safe substitute, an escaped quote \'.

Deleted user
by Deleted user

Defending Against SQL Injection Attacks

The good news is that there actually is a lot that web site owners can do to defend against SQL injection attacks. Although there is no such thing as a100 percent guarantee in network security, formidable obstacles can be placed in the path of SQL injection attempts.

1. Comprehensive data sanitization. Web sites must filter all user input. Ideally, user data should be filtered for context. For example, e-mail addresses should be filtered to allow only the characters allowed in an e-mail address, phone numbers should be filtered to allow only the characters allowed in a phone number, and so on.

2. Use a web application firewall. A popular example is the free, open source module ModSecurity which is available for Apache, Microsoft IIS, and nginx web servers. ModSecurity provides a sophisticated and ever-evolving set of rules to filter potentially dangerous web requests. Its SQL injection defenses can catch most attempts to sneak SQL through web channels.

3. Limit database privileges by context. Create multiple database user accounts with the minimum levels of privilege for their usage environment. For example, the code behind a login page should query the database using an account limited only to the relevent credentials table. This way, a breach through this channel cannot be leveraged to compromise the entire database.

4. Avoid constructing SQL queries with user input. Even data sanitization routines can be flawed. Ideally, using SQL variable binding with prepared statements or stored procedures is much safer than constructing full queries.

Any one of these defenses significantly reduces the chances of a successful SQL injection attack. Implementing all four is a best practice that will provide an extremely high degree ofprotection. Despite its widespread use, your web site does not have to be SQL injection's next victim.

Jamal Aruna
by Jamal Aruna , IT Lead/Web Programmer , Islamic Online University

You may use the PEAR/PDO libraries to run your queries or try the sql binding technique.Otherwise learn an MVC framework like codeigniter which does prevent sql injection

abdul rahman Mohammed
by abdul rahman Mohammed , Sr. Information Security Engineer , INNOVATIVE SOLUTIONS

Allow only the trusted meta characters as input 

More Questions Like This