How to prevent SQL injection in PHP?

 

What is SQL Injection?

SQL Injection is a very simple attack technique. To understand this attack, you first need to know how web applications interact with database servers. Web applications accept data from the users and create a SQL statement based on the user input. When submitting a form, the user input is sent to PHP script via HTTP POST method. The PHP script takes the user inputs from HTTP POST variable and appends it to SQL statement. The resulting SQL statement is then send to database server for execution. This type of interaction between web application and database server makes is possible for attacker to inject malicious code into SQL statements and make it execute on database server which can cause disclosure of sensitive information or complete compromise of database server.

How to prevent SQL injection in PHP?

• Use parameterized queries

• Use prepared statements

• Use stored procedures

• Use escaping functions

• Use LIMIT when using SELECT

• Use whitelist input validation

• Use object relational mapping frameworks

• User a web application firewall (WAF) or use tools like ModSecurity, SQL Power Injector or Netsparker. It's possible to configure your WAF to block malicious request which contain SQL injection attempts. This can protect you from cross-site scripting and other vulnerabilities, too. You can also use tools like ModSecurity or the PHPIDS library. They are an IDS (intrusion detection system) that analyzes all incoming requests and blocks if they appear to be malicious. IDSs are usually easier to install than a WAF since they do not require you to configure your web server, but on the other hand they require more resources because every request has to be analyzed by a PHP script that scans for attack patterns in the request data.

 

You should always use prepared statements and parameterized queries when interacting with MySQL database.

Prepared statements are a way of making sure that your code is safe from SQL injection attacks. Essentially, you can tell the server to prepare something for you to insert in the database which will be run once, and then not do anything else unless it encounters an error. This increases security as it allows less information to be sent around, thereby preventing more information from being stolen.

Parameterized queries will help you protect your query from SQL injection by using names that have known values, so that attackers who try to inject their own values will fail when asked for them.