Please wait while we load your page...


Latest Version [8.00202307241] Last Updated [Jul-24-2023]

PasswordSentry Highly Recommends NETbilling

Avoiding PHP SQL Injection

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (for example, to dump the database contents to the attacker). In this discussion, we outline how to avoid SQL injection in PHP applications that access a mySQL database:

1. Never connect to the database as a superuser or as the database owner. Always use custom users with very limited privileges.
2. Use prepared statements with bound variables. For example, use PDO to prepare SQL statements.
3. If your version of PHP does not support PDO, then quote each user supplied value that is passed to the database with the database-specific string escape function (e.g. mysql_real_escape_string(), sqlite_escape_string(), etc.).
4. Do not print out any database specific information (e.g., SQL statement) to the user: especially in the case of errors.

Blog Posts

Random Security Blog Articles

See All Blog Posts

PasswordSentry :: Security Blog ArticleShutterstock/ESB Professional Emily Collins, University of Bath and Joanne Hinds, University of Bath The number of cyber attacks is estimated to have risen by 67% over the last five years, with the majority of these data breaches being … Read More
PasswordSentry :: Security Blog Article‘No, I absolutely do not wish to change my password, thanks.’ Shutterstock/ Steven J. Murdoch, UCL It’s normally in the final seconds of a TV or radio interview that security experts get asked for advice for the general public … Read More