PHPFixing
  • Privacy Policy
  • TOS
  • Ask Question
  • Contact Us
  • Home
  • PHP
  • Programming
  • SQL Injection
  • Web3.0

How to prevent SQL injection in PHP?

 


What is SQL Injection?

SQL Injection is a very simple attack technique. To understand this attack, you first need to know how web applications interact with database servers. Web applications accept data from the users and create a SQL statement based on the user input. When submitting a form, the user input is sent to PHP script via HTTP POST method. The PHP script takes the user inputs from HTTP POST variable and appends it to SQL statement. The resulting SQL statement is then send to database server for execution. This type of interaction between web application and database server makes is possible for attacker to inject malicious code into SQL statements and make it execute on database server which can cause disclosure of sensitive information or complete compromise of database server.

How to prevent SQL injection in PHP?

  • Use parameterized queries

  • Use prepared statements

  • Use stored procedures

  • Use escaping functions

  • Use LIMIT when using SELECT

  • Use whitelist input validation

  • Use object relational mapping frameworks

  • User a web application firewall (WAF) or use tools like ModSecurity, SQL Power Injector or Netsparker. It's possible to configure your WAF to block malicious request which contain SQL injection attempts. This can protect you from cross-site scripting and other vulnerabilities, too. You can also use tools like ModSecurity or the PHPIDS library. They are an IDS (intrusion detection system) that analyzes all incoming requests and blocks if they appear to be malicious. IDSs are usually easier to install than a WAF since they do not require you to configure your web server, but on the other hand they require more resources because every request has to be analyzed by a PHP script that scans for attack patterns in the request data.

 

You should always use prepared statements and parameterized queries when interacting with MySQL database.

Prepared statements are a way of making sure that your code is safe from SQL injection attacks. Essentially, you can tell the server to prepare something for you to insert in the database which will be run once, and then not do anything else unless it encounters an error. This increases security as it allows less information to be sent around, thereby preventing more information from being stolen.

Parameterized queries will help you protect your query from SQL injection by using names that have known values, so that attackers who try to inject their own values will fail when asked for them.

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Home

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...

Subscribe To

Posts
Atom
Posts
All Comments
Atom
All Comments

Copyright © PHPFixing