How can I prevent SQL injection in PHP?

Share

Avoiding SQL injection attacks can be done through complete separation of data and commands. Though it’s easy to mix these two up, they should remain separate when working with SQL statements – one dictates what needs to happen while the other provides its content. When using uncalculated statements or those without properly programmed parameters, there is a greater chance for attack because hackers can put in their own command code disguised as part of your input data. If this happens, the parser may execute that input even though it was not intended by the programmer.

There are two different ways you can do this :

  • This example will show you how to set up PHP to use PDO for any supported database driver.
$statement = $pdo->prepare('SELECT * FROM users WHERE username = :username');
$statement->execute([ 'username' => $username]);

foreach ($statement as $row) {
    // Do something with $row
}
  • Using MySQLi for Mysql.
$statement= $dbConnection->prepare('SELECT * FROM employees WHERE username = ?');
$statement->bind_param('s', $username); // 's' is variable type => 'string'
$statement->execute();

$result = $statement->get_result();
while ($row = $result->fetch_assoc()) {
    // Do something with $row
}

1 thought on “How can I prevent SQL injection in PHP?”

  1. Pingback: Best Practices for PHP Security in 2022 - The Technical Diaries

Leave a Comment

Your email address will not be published. Required fields are marked *

 - 
Afrikaans
 - 
af
Albanian
 - 
sq
Amharic
 - 
am
Arabic
 - 
ar
Armenian
 - 
hy
Azerbaijani
 - 
az
Basque
 - 
eu
Belarusian
 - 
be
Bengali
 - 
bn
Bosnian
 - 
bs
Bulgarian
 - 
bg
Catalan
 - 
ca
Cebuano
 - 
ceb
Chichewa
 - 
ny
Chinese (Simplified)
 - 
zh-CN
Chinese (Traditional)
 - 
zh-TW
Corsican
 - 
co
Croatian
 - 
hr
Czech
 - 
cs
Danish
 - 
da
Dutch
 - 
nl
English
 - 
en
Esperanto
 - 
eo
Estonian
 - 
et
Filipino
 - 
tl
Finnish
 - 
fi
French
 - 
fr
Frisian
 - 
fy
Galician
 - 
gl
Georgian
 - 
ka
German
 - 
de
Greek
 - 
el
Gujarati
 - 
gu
Haitian Creole
 - 
ht
Hausa
 - 
ha
Hawaiian
 - 
haw
Hebrew
 - 
iw
Hindi
 - 
hi
Hmong
 - 
hmn
Hungarian
 - 
hu
Icelandic
 - 
is
Igbo
 - 
ig
Indonesian
 - 
id
Irish
 - 
ga
Italian
 - 
it
Japanese
 - 
ja
Javanese
 - 
jw
Kannada
 - 
kn
Kazakh
 - 
kk
Khmer
 - 
km
Korean
 - 
ko
Kurdish (Kurmanji)
 - 
ku
Kyrgyz
 - 
ky
Lao
 - 
lo
Latin
 - 
la
Latvian
 - 
lv
Lithuanian
 - 
lt
Luxembourgish
 - 
lb
Macedonian
 - 
mk
Malagasy
 - 
mg
Malay
 - 
ms
Malayalam
 - 
ml
Maltese
 - 
mt
Maori
 - 
mi
Marathi
 - 
mr
Mongolian
 - 
mn
Myanmar (Burmese)
 - 
my
Nepali
 - 
ne
Norwegian
 - 
no
Pashto
 - 
ps
Persian
 - 
fa
Polish
 - 
pl
Portuguese
 - 
pt
Punjabi
 - 
pa
Romanian
 - 
ro
Russian
 - 
ru
Samoan
 - 
sm
Scots Gaelic
 - 
gd
Serbian
 - 
sr
Sesotho
 - 
st
Shona
 - 
sn
Sindhi
 - 
sd
Sinhala
 - 
si
Slovak
 - 
sk
Slovenian
 - 
sl
Somali
 - 
so
Spanish
 - 
es
Sundanese
 - 
su
Swahili
 - 
sw
Swedish
 - 
sv
Tajik
 - 
tg
Tamil
 - 
ta
Telugu
 - 
te
Thai
 - 
th
Turkish
 - 
tr
Ukrainian
 - 
uk
Urdu
 - 
ur
Uzbek
 - 
uz
Vietnamese
 - 
vi
Welsh
 - 
cy
Xhosa
 - 
xh
Yiddish
 - 
yi
Yoruba
 - 
yo
Zulu
 - 
zu