Languages
[Edit]
EN

PHP - how to prevent SQL injection?

17 points
Created by:
AnnLen
1771

Web development requires to guarant safety of application. Really serious problem is to prevent against SQL Injection Attack. This kind of attack is based on typing SQL sub querry in value place of main query. One way to prevent of this kind of attack is to escape some dangerous charactes from values. PHP provaids special API that helps to solve this problem. In this article simple solutions how to prevent the attack has been shown.

1. PDO class example

In this example solution how to use :role agrument to prevent SQL Injection has been shown. With this approach all dangerous characters that are sent inside role argument are escaped as safe text and paced into SQL query.

<?php

	if(isset($_GET['role']))
	{
		$role = $_GET['role'];

		$db_name = 'test';
		$db_host = '127.0.0.1'; // 'localhost'
		$db_username = 'root';
		$db_password = 'root';

		$dsn = 'mysql:dbname=' . $db_name . ';host=' . $db_host . ';charset=utf8';
		$pdo = new PDO($dsn, $db_username, $db_password);
		
		$statement = $pdo->prepare('SELECT * FROM `users` WHERE `role` = :role');

		if($statement === FALSE)
			die('Query preparation error!');

		$parameters = array(
			'role' => $role
		);

		echo '<pre>';
		echo "[ID]\t[name]\t[role]<br />";

		if($statement->execute($parameters))
		{
			while ($row = $statement->fetch(PDO::FETCH_OBJ))
			{
				//echo print_r($row, true);
				
				echo $row->id . "\t" . $row->name . "\t" . $row->role . '<br />';
			}
		}
		
		echo '</pre>';
	}

?>

Result:

SQL Injection prevention with PDO class - PHP / MySQL.
SQL Injection prevention with PDO class - PHP / MySQL.

2. MySQLi example

In this example bind_param function has been used with question mark inside SQL query to escape all dangerous characters.

<?php

	if(isset($_GET['role']))
	{
		$role = $_GET['role'];

		$db_name = 'test';
		$db_host = '127.0.0.1'; // 'localhost'
		$db_username = 'root';
		$db_password = 'root';

		$mysqli = new mysqli($db_host, $db_username, $db_password, $db_name);
		
		if($mysqli->connect_error)
			die('Database connection error!');
		
		if($statement = $mysqli->prepare('SELECT * FROM `users` WHERE `role` = ?'))
		{
			$statement->bind_param('s', $role); // string parameter
			
			if($statement->execute())
			{
				$statement->bind_result($row_id, $row_name, $row_role);
				
				echo '<pre>';
				echo "[ID]\t[name]\t[role]<br />";

				while ($statement->fetch())
					echo $row_id . "\t" . $row_name . "\t" . $row_role . '<br />';
				
				echo '</pre>';
			}
			else
				echo 'Query execution error!';
			
			$statement->close();
		}
		else
			echo 'Query preparation error!';
		
		$mysqli->close();
	}

?>

Result:

SQL Injection prevention with mysqli class - PHP / MySQL.
SQL Injection prevention with mysqli class - PHP / MySQL.

3. mysql_real_escape_string function example

Note: this approach is marked as depricated since PHP 5.5.0 and removed sice PHP 7.0.0. 

<?php

	if(isset($_GET['role']))
	{
		$unescaped_role = $_GET['role'];

		$db_name = 'test';
		$db_host = '127.0.0.1'; // 'localhost'
		$db_username = 'root';
		$db_password = 'root';

		$connection = mysql_connect($db_host, $db_username, $db_password);

		if($connection === FALSE)
			die('Database connection error!');
		
		if(mysql_select_db($db_name, $connection))
		{
			$escaped_role = mysql_real_escape_string($unescaped_role, $connection);

			$query = 'SELECT * FROM `users` WHERE `role` = \'' . $escaped_role . '\'';
			$result = mysql_query($query, $connection);

			if($result === FALSE)
				die('Query operation error!');
			
			echo '<pre>';
			echo "[ID]\t[name]\t[role]<br />";

			while ($row = mysql_fetch_object($result))
				echo $row->id . "\t" . $row->name . "\t" . $row->role . '<br />';
			
			echo '</pre>';
		}
		else
			echo 'Database selection error!';
		
		mysql_close($connection);
	}

?>

Result:

SQL Injection prevention with mysql_real_escape_string function - PHP / MySQL.
SQL Injection prevention with mysql_real_escape_string function - PHP / MySQL.

4. Database preparation

create_tables.sql file:

CREATE TABLE `users` (
	`id` INT(10) UNSIGNED NOT NULL AUTO_INCREMENT,
	`name` VARCHAR(100) NOT NULL,
	`role` VARCHAR(15) NOT NULL,
	PRIMARY KEY (`id`)
)
ENGINE=InnoDB;

insert_data.sql file:

INSERT INTO `users`
	(`name`, `role`)
VALUES
	('John', 'admin'),
	('Chris', 'moderator'),
	('Kate', 'user'),
	('Denis', 'moderator');

See also

  1. PHP - how to make MySQL insert query with PDO?
  2. PHP - how to make MySQL select query with PDO?
  3. PHP - how to make MySQL update query with PDO?
  4. PHP - how to make MySQL delete query with PDO?

 

Hey 👋
Would you like to know what we do?
  • Dirask is a friendly IT community for learners, professionals and hobbyists to share their knowledge and help each other in extraordinary easy way.
  • We welcome everyone,
    no matter what the experience,
    no matter how basic the question is,
    this community will help you.