etutorialspoint
  • Home
  • PHP
  • MySQL
  • MongoDB
  • HTML
  • Javascript
  • Node.js
  • Express.js
  • Python
  • Jquery
  • R
  • Kotlin
  • DS
  • Blogs
  • Theory of Computation

SQL Injection Prevention Techniques

In this article, we will learn how SQL injection dangerous for our system and how can we prevent them. So let's first know what is SQL injection?

SQL Injection is one of the oldest code injection technique which attacker generally used to exploit web applications. Like, if an attacker has inserted some vulnerable query as input, then that input may fetch some important data from your database or delete some information or may be the vulnerable query can delete the entire database. Today, SQL Injection is a common problem for exploited web applications. By using this the attacker can violate transactions, they can become an administrator of database, or they can also effect our bank balance. So before prevention techniques, first let's know how the attacker attempts on SQL data.


SQL Injection Prevention Techniques

These are some examples that vulnerable to SQL injection attack


SQL Injection 1=1

Suppose, there is a table in database name 'employee' and 'emp_name' is one of it's field. In front end, there is some search module that select employee data on the basis of employee name. So in the controller, generally we write the query to fetch the searched employee name as -

$query = "SELECT * FROM employee WHERE emp_name = '$emname ' ";

Suppose the attacker goes to this search module in front end and in place of employee name, he has provided the below code in an employee name variable as

 OR '1' = '1'

Then the select query becomes -

 $query = "SELECT * FROM employee WHERE emp_name = ' ' OR '1' = '1' ";

AS '1' = '1' condition always evaluates to true and executed and fetch all the data from employee table. By this way the attacker can fetch all the employee data.


SQL Injection Additional Query

n addition to provide the desired field value, the attacker can append the additional query that can delete or destroy all records. Like the following input can delete all employee records if the attacker has provided the input as -

a%';DROP TABLE employee;

then the select query becomes

$query = "SELECT * FROM employee WHERE emp_name = ' a%';DROP TABLE employee;' ";

and when this query will be executed, it will delete all the employee data.


Blind SQL Injection

In this, the attacker can pass the query in URL parameters if the webpage url allows it, like

http://www.example.com/employeedetail.php?empid=10

This url gets an employee id 10, and can execute the below query and populate that employee data that having employee id 10

$query = "SELECT * FROM employee WHERE empid = '10'; "

A hacker can also append the condition in the requested url and which may result.

http://www.example.com/employeedetail.php?empid=101 OR 1=1

This may fetch all employee information. Similarly hacker can affect any data in the database.




Methods to prevent SQL injection

These are the methods that protect from SQL vulnerabilities-

By using MySQLi

MySQLi is improved version of MySQL. This improved version is built to use with PHP programming language. If you are using MySQL version 4.3 or newer, then it is recommended to use MySQLi Extension.

MySQLi binds the parameter after the select statement. This process results more security by preventing SQL injection attack and increased performance.

$stmt = $dbConnection->prepare('SELECT * FROM employee WHERE emp_name = ?');
$stmt->bind_param('s', $name);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // do something with $row
}


By using PDO

PDO extends for PHP Data Object. It is lightweight, more portable interface for accessing database in PHP. It is a database access layer which makes the developer to write portable code much easier.

In PDO, you can bind the parameter after select statement. The bindparam() method binds a parameter to the specified variable name to fetch the desired value, i.e. it sets the where clause condition and fetch() method fetches a row from the result set. This process protects from SQL injection attack.

$emp_select = $database->prepare("SELECT * FROM employee WHERE emp_name = :empname ");
$emp_select->bindparam(':empname', '$empname');
$emp_select->execute();
$emprows = $emp_select->fetch(PDO::FETCH_ASSOC);
return $emprows;




◀ Previous Article
Characteristics of a Good Computer Program
Next Article ▶
PHP Server Side Form Validation
Most Popular Development Resources
Characteristics of a Good Computer Program
-----------------
Retrieve Data From Database Without Page refresh Using AJAX, PHP and Javascript
-----------------
Get current visitor\'s location using HTML5 Geolocation API and PHP
-----------------
How to Sort Table Data in PHP and MySQL
-----------------
Dynamically Add/Delete HTML Table Rows Using Javascript
-----------------
PHP MYSQL Advanced Search Feature
-----------------
Simple star rating system using PHP, jQuery and Ajax
-----------------
Simple pagination in PHP
-----------------
Fibonacci Series Program in PHP
-----------------
jQuery loop over JSON result after AJAX Success
-----------------
PHP user registration and login/ logout with secure password encryption
-----------------
Submit a form data using PHP, AJAX and Javascript
-----------------
Polling system using PHP, Ajax and MySql
-----------------
jQuery File upload progress bar with file size validation
-----------------
SQL Injection Prevention Techniques
-----------------
PHP Secure User Registration with Login/logout
-----------------
How to add multiple custom markers on google map
-----------------
Create pie chart using Google API, PHP and MySQL
-----------------
How to get current directory, filename and code line number in PHP
-----------------
Php file based authentication
-----------------
PDO MySQL Connection in PHP
-----------------
Recover forgot password using PHP7 and MySQLi
-----------------
Simple File Upload Script in PHP
-----------------
Set and Get Cookies in PHP
-----------------
Date Timestamp Formats in PHP
-----------------
To check whether a year is a leap year or not in php
-----------------
PHP User Authentication by IP Address
-----------------
PHP Server Side Form Validation
-----------------
Detect Mobile Devices in PHP
-----------------
Calculate the distance between two locations using PHP
-----------------
How to generate QR Code in PHP
-----------------
Simple Show Hide Menu Navigation
-----------------
Convert MySQL to JSON using PHP
-----------------
Simple PHP File Cache
-----------------
Get Visitor\'s location and TimeZone
-----------------
PHP Programming Error Types
-----------------
Sending form data to an Email using PHP
-----------------
Preventing Cross Site Request Forgeries(CSRF) in PHP
-----------------
CSS Simple Menu Navigation Bar
-----------------
Driving route directions from source to destination using HTML5 and Javascript
-----------------
Divide Large Data Into Two Columns Using PHP
-----------------
Simple way to send SMTP mail using Node.js
-----------------
How to encrypt password in PHP
-----------------
How to use google map street view api on webpage
-----------------
How to select/deselect all checkboxes using Javascript
-----------------
Print different sections of a web page using javascript
-----------------
How to add google map on your website and display address on click marker
-----------------
Hypertext Transfer Protocol Overview
-----------------
Create And Download Word Document in PHP
-----------------
PHP code to send email using SMTP
-----------------
Simple XML Manipulation In PHP
-----------------
Getting Document of Remote Address
-----------------
File Upload Validation in PHP
-----------------
PHP Connection and File Handling on FTP Server
-----------------
R Plot Types
-----------------


Most Popular Blogs
Most in demand programming languages
Best mvc PHP frameworks in 2019
MariaDB vs MySQL
Most in demand NoSQL databases for 2019
Best AI Startups In India
Kotlin : Android App Development Choice
Kotlin vs Java which one is better
Top Android App Development Languages in 2019
Web Robots
Data Science Recruitment of Freshers - 2019


Interview Questions Answers
Basic PHP Interview
Advanced PHP Interview
MySQL Interview
Javascript Interview
HTML Interview
CSS Interview
Programming C Interview
Programming C++ Interview
Java Interview
Computer Networking Interview
NodeJS Interview
ExpressJS Interview
R Interview





General Knowledge

listen
listen
listen
listen
listen
listen
listen
listen
listen


Learn Popular Language

listen
listen
listen
listen
listen

Blogs

  • Jan 27

    Best AI Startups In India

    Artificial Intelligence is a process of making an intelligent computer machine that does tasks intelligently...

  • Jan 23

    Most in demand programming languages for 2019

    In this article, we have mentioned the analyzed results of the most in demand programming language for 2019...

  • Jan 15

    Web Robots

    Web robots is an internet robot or simply crawlers, or spiders and do not relate this with hardware robots...

  • Jan 12

    Most in demand NoSQL databases software for 2019

    In this article, we have mentioned the analyzed result of most in demand NoSQL database softwares for 2019...

  • Jan 10

    Kotlin : Android App Development Choice

    Kotlin is a general-purpose open-source programming language. It runs on the JVM and its syntax is much like Java...

Follow us

  • etutorialspoint facebook
  • etutorialspoint twitter
  • etutorialspoint linkedin
etutorialspoint youtube
About Us      Contact Us


  • eTutorialsPoint©Copyright 2016-2020. All Rights Reserved.