Webmaster Tutorials :: Definition [Avoiding PHP SQL Injection]

PasswordSentry

Latest Version [8.00202205221] Last Updated [May-22-2022]

Webmaster Tutorials

Definition [Avoiding PHP SQL Injection]

Home

Avoiding PHP SQL Injection

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (for example, to dump the database contents to the attacker). In this discussion, we outline how to avoid SQL injection in PHP applications that access a mySQL database:

1. Never connect to the database as a superuser or as the database owner. Always use custom users with very limited privileges.
2. Use prepared statements with bound variables. For example, use PDO to prepare SQL statements.
3. If your version of PHP does not support PDO, then quote each user supplied value that is passed to the database with the database-specific string escape function (e.g. mysql_real_escape_string(), sqlite_escape_string(), etc.).
4. Do not print out any database specific information (e.g., SQL statement) to the user: especially in the case of errors.

Scroll

#1 Web Enterprise Software Application in its class! Free and Paid Plans Better App for Better Security!

PasswordSentry

Latest Version [8.00202205221] Last Updated [May-22-2022]