Avoiding PHP SQL Injection
SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (for example, to dump the database contents to the attacker). In this discussion, we outline how to avoid SQL injection in PHP applications that access a mySQL database:
1. Never connect to the database as a superuser or as the database owner. Always use custom users with very limited privileges.
2. Use prepared statements with bound variables. For example, use PDO
to prepare SQL statements.
3. If your version of PHP does not support PDO, then quote each user supplied value that is passed to the database with the database-specific string escape function (e.g. mysql_real_escape_string(), sqlite_escape_string(), etc.).
4. Do not print out any database specific information (e.g., SQL statement) to the user: especially in the case of errors.