This solution can prevent every possible SQL Injection in PHP scripts

What is SQL Injection ?

SQL injection is a form of attack where user entered input would manipulate the database of your PHP web application. Hackers are more likely insert potentially unsafe code into your web forms if your forms insert user input value into SQL database table without escaping unsafe characters. Here is an example of SQL injection that can drop your entire table in database;

$unsafe_input_variable = $_POST[‘unsafe_user_input’];

When the above input is directly inserted into Sql table without removing query parameters like this;

mysql_query(“INSERT INTO `table` (`column`) VALUES (‘$unsafe_input_variable’)”);

That’s because the spammer can enter something like

value’); DROP TABLE table;–,

And the above input query will be converted like this

INSERT INTO table (column) VALUES(‘value’); DROP TABLE table;–‘)

Subscribe to our newsletter

Related Posts

Soon after execution of the above query you will loose your entire table and the most important data. So, how do we prevent this from happening ? In order to prevent SQL injection you are better off using prepared statements along with parameterized commands. These are basically SQL statements which are passed to and parsed by the DB server. This process makes it impossible to inject hacking code into SQL database. We are drafting an easy and powerful solution to help secure your PHP web application. Please be patient and come back this may take a while.

Share this post

Share on Facebook
Share on Twitter
Share on Linkedin