Languages
[Edit]
EN

PHP - how to prevent SQL injection?

17 points
Created by:
Wiktor-Sribiew
800

Web development requires to guarant safety of application. Really serious problem is to prevent against SQL Injection Attack. This kind of attack is based on typing SQL sub querry in value place of main query. One way to prevent of this kind of attack is to escape some dangerous charactes from values. PHP provaids special API that helps to solve this problem. In this article simple solutions how to prevent the attack has been shown.

1. PDO class example

In this example solution how to use :role agrument to prevent SQL Injection has been shown. With this approach all dangerous characters that are sent inside role argument are escaped as safe text and paced into SQL query.

<?php

	if(isset($_GET['role']))
	{
		$role = $_GET['role'];

		$db_name = 'test';
		$db_host = '127.0.0.1'; // 'localhost'
		$db_username = 'root';
		$db_password = 'root';

		$dsn = 'mysql:dbname=' . $db_name . ';host=' . $db_host . ';charset=utf8';
		$pdo = new PDO($dsn, $db_username, $db_password);
		
		$statement = $pdo->prepare('SELECT * FROM `users` WHERE `role` = :role');

		if($statement === FALSE)
			die('Query preparation error!');

		$parameters = array(
			'role' => $role
		);

		echo '<pre>';
		echo "[ID]\t[name]\t[role]<br />";

		if($statement->execute($parameters))
		{
			while ($row = $statement->fetch(PDO::FETCH_OBJ))
			{
				//echo print_r($row, true);
				
				echo $row->id . "\t" . $row->name . "\t" . $row->role . '<br />';
			}
		}
		
		echo '</pre>';
	}

?>

Result:

SQL Injection prevention with PDO class - PHP / MySQL.
SQL Injection prevention with PDO class - PHP / MySQL.

2. MySQLi example

In this example bind_param function has been used with question mark inside SQL query to escape all dangerous characters.

<?php

	if(isset($_GET['role']))
	{
		$role = $_GET['role'];

		$db_name = 'test';
		$db_host = '127.0.0.1'; // 'localhost'
		$db_username = 'root';
		$db_password = 'root';

		$mysqli = new mysqli($db_host, $db_username, $db_password, $db_name);
		
		if($mysqli->connect_error)
			die('Database connection error!');
		
		if($statement = $mysqli->prepare('SELECT * FROM `users` WHERE `role` = ?'))
		{
			$statement->bind_param('s', $role); // string parameter
			
			if($statement->execute())
			{
				$statement->bind_result($row_id, $row_name, $row_role);
				
				echo '<pre>';
				echo "[ID]\t[name]\t[role]<br />";

				while ($statement->fetch())
					echo $row_id . "\t" . $row_name . "\t" . $row_role . '<br />';
				
				echo '</pre>';
			}
			else
				echo 'Query execution error!';
			
			$statement->close();
		}
		else
			echo 'Query preparation error!';
		
		$mysqli->close();
	}

?>

Result:

SQL Injection prevention with mysqli class - PHP / MySQL.
SQL Injection prevention with mysqli class - PHP / MySQL.

3. mysql_real_escape_string function example

Note: this approach is marked as depricated since PHP 5.5.0 and removed sice PHP 7.0.0. 

<?php

	if(isset($_GET['role']))
	{
		$unescaped_role = $_GET['role'];

		$db_name = 'test';
		$db_host = '127.0.0.1'; // 'localhost'
		$db_username = 'root';
		$db_password = 'root';

		$connection = mysql_connect($db_host, $db_username, $db_password);

		if($connection === FALSE)
			die('Database connection error!');
		
		if(mysql_select_db($db_name, $connection))
		{
			$escaped_role = mysql_real_escape_string($unescaped_role, $connection);

			$query = 'SELECT * FROM `users` WHERE `role` = \'' . $escaped_role . '\'';
			$result = mysql_query($query, $connection);

			if($result === FALSE)
				die('Query operation error!');
			
			echo '<pre>';
			echo "[ID]\t[name]\t[role]<br />";

			while ($row = mysql_fetch_object($result))
				echo $row->id . "\t" . $row->name . "\t" . $row->role . '<br />';
			
			echo '</pre>';
		}
		else
			echo 'Database selection error!';
		
		mysql_close($connection);
	}

?>

Result:

SQL Injection prevention with mysql_real_escape_string function - PHP / MySQL.
SQL Injection prevention with mysql_real_escape_string function - PHP / MySQL.

4. Database preparation

create_tables.sql file:

CREATE TABLE `users` (
	`id` INT(10) UNSIGNED NOT NULL AUTO_INCREMENT,
	`name` VARCHAR(100) NOT NULL,
	`role` VARCHAR(15) NOT NULL,
	PRIMARY KEY (`id`)
)
ENGINE=InnoDB;

insert_data.sql file:

INSERT INTO `users`
	(`name`, `role`)
VALUES
	('John', 'admin'),
	('Chris', 'moderator'),
	('Kate', 'user'),
	('Denis', 'moderator');

See also

  1. PHP - how to make MySQL insert query with PDO?
  2. PHP - how to make MySQL select query with PDO?
  3. PHP - how to make MySQL update query with PDO?
  4. PHP - how to make MySQL delete query with PDO?

 

Donate to Dirask
Our content is created by volunteers - like Wikipedia. If you think, the things we do are good, donate us. Thanks!
Join to our subscribers to be up to date with content, news and offers.
Native Advertising
🚀
Get your tech brand or product in front of software developers.
For more information Contact us
Dirask - we help you to
solve coding problems.
Ask question.

❤️💻 🙂

Join