39: Protect your database against SQL injection using MySQLi | PHP tutorial | Learn PHP programming



How to Prevent SQL Injection in PHP

Two Parts:

This wikiHow teaches you how to prevent SQL injection using Prepared Statements in PHP. SQL injection is one of the most common vulnerabilities in Web applications today. Prepared Statements use bound parameters and do not combine variables with SQL strings, making it impossible for an attacker to modify the SQL statement.
Prepared Statements combine the variable with the compiled SQL statement, so that the SQL and the variables are sent separately. The variables are then interpreted as mere strings and not part of the SQL statement. Using the methods in the steps below, you will not need to use any other SQL injection filtering techniques such as the mysql_real_escape_string().

Steps

Understanding SQL Injection

  1. SQL Injection is a type of vulnerability in applications that use a SQL database.The vulnerability arises when a user input is used in a SQL Statement:
    $name$_GET'username' $query"SELECT password FROM tbl_user WHERE name='$name' "
  2. The value a user enters into the URL variableusernamewill be assigned to the variable$name.It's then placed directly into the SQL statement, making it possible for the user to edit the SQL statement.
    $name"admin' OR 1=1 -- " $query"SELECT password FROM tbl_user WHERE name='$name' "
  3. The SQL database will then receive the SQL statement as follows:
    SELECTpassword tbl_usersWHEREname 'admin'
    • This is valid SQL, but instead of returning one password for the user, the statement will return all the passwords in the tabletbl_user. This is not something you want in your web applications.

Using mySQLi to Create Prepared Statements

  1. Create the mySQLi SELECT Query.
    Use the code below to SELECT data from a table using mySQLi Prepared Statements.
    $name$_GET'username' $stmt$mysqliprepare"SELECT password FROM tbl_users WHERE name=?" // Bind a variable to the parameter as a string. $stmtbind_param$name // Execute the statement. $stmtexecute // Get the variables from the query. $stmtbind_result$pass // Fetch the data. $stmtfetch // Display the data. printf"Password for user is "$name$pass // Close the prepared statement. $stmtclose

    • Note: The variable$mysqliis the mySQLi Connection Object.
  2. Create the mySQLi INSERT Query.Use the code below to INSERT data into a table using mySQLi Prepared Statements.
    $name$_GET'username' $password$_GET'password' $stmt$mysqliprepare"INSERT INTO tbl_users (name, password) VALUES (?, ?)" // Bind the variables to the parameter as strings. $stmtbind_param$name$password // Execute the statement. $stmtexecute // Close the prepared statement. $stmtclose

    • Note: The variable$mysqliis the mySQLi Connection Object.
  3. Create the mySQLi UPDATE Query.Use the code below to UPDATE data in a table using mySQLi Prepared Statements.
    $name$_GET'username' $password$_GET'password' $stmt$mysqliprepare"UPDATE tbl_users SET password = ? WHERE name = ?" // Bind the variables to the parameter as strings. $stmtbind_param$password$name // Execute the statement. $stmtexecute // Close the prepared statement. $stmtclose

    • Note: The variable$mysqliis the mySQLi Connection Object.
  4. Create the mySQLi DELETE Query.The below script is how to DELETE data from a table using mySQLi Prepared Statements.
    $name$_GET'username' $password$_GET'password' $stmt$mysqliprepare"DELETE FROM tbl_users WHERE name = ?" // Bind the variable to the parameter as a string. $stmtbind_param$name // Execute the statement. $stmtexecute // Close the prepared statement. $stmtclose

    • Note: The variable$mysqliis the mySQLi Connection Object.

Community Q&A

Search
  • Question
    Why use the $_GET method instead of the $_POST method?
    wikiHow Contributor
    Community Answer
    $_GET is easier to use when developing or when no user-sensitive data is being sent. Examples could include info for the generation of the webpage, or a position where the user scrolled last on the page, etc.
    Thanks!
Ask a Question
200 characters left
Include your email address to get a message when this question is answered.





Video: PHP Security: SQL Injection

How to Prevent SQL Injection in PHP
How to Prevent SQL Injection in PHP images

2019 year
2019 year - How to Prevent SQL Injection in PHP pictures

How to Prevent SQL Injection in PHP advise
How to Prevent SQL Injection in PHP forecast photo

How to Prevent SQL Injection in PHP pictures
How to Prevent SQL Injection in PHP pictures

How to Prevent SQL Injection in PHP How to Prevent SQL Injection in PHP new foto
How to Prevent SQL Injection in PHP new foto

pics How to Prevent SQL Injection in PHP
images How to Prevent SQL Injection in PHP

Watch How to Prevent SQL Injection in PHP video
Watch How to Prevent SQL Injection in PHP video

Discussion on this topic: How to Prevent SQL Injection in PHP, how-to-prevent-sql-injection-in-php/
Discussion on this topic: How to Prevent SQL Injection in PHP, how-to-prevent-sql-injection-in-php/ , how-to-prevent-sql-injection-in-php/

Related News


Diane Kruger: I Love Twilight, I Was Totally Team Edward
What to Wear to Sydney Autumn Racing Carnival 2019
Ombú, Don Carlos Leisure Resort Spa, Marbella, Spain
Your Wedding Photographer: What You Need to Discuss Before the Wedding
Mon Plaisir
Fantastic Beasts’: J.K
Charlotte Tilbury Creates New Lipstick Line With Kim Kardashian, Miranda Kerr And Kate Bosworth
How to Knit Decreases
The Exact 4 Products Makeup Artists Used to Create the Jet-Black Lips at MarcJacobs
Win A 1,000 Joe Black AW16 Wardrobe
How to Seek Treatment for a Psychiatric Disorder
Burger with Mushrooms
459 tonnes of luggage
How to Wake Up Without an Alarm Clock



Date: 13.12.2018, 09:27 / Views: 91332