×


SQL Injection Prevention Techniques

In this article, we will learn how SQL injection is dangerous for our system and how we can prevent it. So let's first know what SQL injection is.

The SQL Injection is one of the oldest code-injection techniques which the attackers generally used to exploit the web applications. Like, if an attacker has inserted some vulnerable query as input, then that input may fetch some important data from your database or delete some information or may be the vulnerable query can delete the entire database. Today, SQL Injection is a common problem for exploited web applications. By using this, the attacker can violate transactions, they can become an administrator of database, or they can also effect our bank balance. So before prevention techniques, first let's know how the attacker attempts on SQL data.


SQL Injection Prevention Techniques



These are some examples that are vulnerable to SQL injection attack


SQL Injection 1=1

Suppose there is a table in the database name 'employee' and 'emp_name' is one of its fields. In front end, there is some search module that selects the employee data on the basis of the employee name. So in the controller, generally we write the query to fetch the searched employee name as -

$query = "SELECT * FROM employee WHERE emp_name = '$emname ' ";

Suppose the attacker goes to this search module in front end and in place of employee name, he has provided the given code in place of employee name variable as

 OR '1' = '1'

Then the select query becomes -

 $query = "SELECT * FROM employee WHERE emp_name = ' ' OR '1' = '1' ";

AS '1' = '1' condition always evaluates to true and executed and fetch all the data from the employee table. By this way, the attacker can fetch all the employee data.


SQL Injection Additional Query

In addition to provide the desired field value, the attacker can append the additional query that can delete or destroy all records. As the following input can delete all employee records if the attacker has provided the input as -

a%';DROP TABLE employee;

then the select query becomes

$query = "SELECT * FROM employee WHERE emp_name = ' a%';DROP TABLE employee;' ";

And when this query will be executed, it will delete all the employee data.


Blind SQL Injection

In this, the attacker can pass the query in URL parameters if the webpage url allows it, like -

http://www.example.com/employeedetail.php?empid=10

This URL gets an employee id 10, and can execute the given query and populate that employee data that having employee id 10.

$query = "SELECT * FROM employee WHERE empid = '10'; "

A hacker can also append the condition in the requested url and which may result.

http://www.example.com/employeedetail.php?empid=101 OR 1=1

This may fetch all employee information. Similarly hacker can affect any data in the database.




Methods to prevent SQL injection

These are the methods that protect from SQL vulnerabilities-

By using MySQLi

MySQLi is an improved version of MySQL. This improved version is built to use with PHP programming language. If you are using MySQL version 4.3 or newer, then it is recommended to use MySQLi Extension.

MySQLi binds the parameter after the select statement. This process results more security by preventing SQL injection attack and increased performance.

$stmt = $dbConnection->prepare('SELECT * FROM employee WHERE emp_name = ?');
$stmt->bind_param('s', $name);
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // do something with $row
}    


By using PDO

PDO extends for PHP Data Object. It is lightweight, more portable interface for accessing database in PHP. It is a database access layer which makes the developer to write portable code much easier.

In PDO, you can bind the parameter after select statement. The bindparam() method binds a parameter to the specified variable name to fetch the desired value, i.e. it sets the where clause condition and fetch() method fetches a row from the result set. This process protects from SQL injection attack.

$emp_select = $database->prepare("SELECT * FROM employee WHERE emp_name = :empname ");
$emp_select->bindparam(':empname', '$empname');
$emp_select->execute();
$emprows = $emp_select->fetch(PDO::FETCH_ASSOC);
return $emprows;    




Related Articles

Upload multiple files and store in MySQL database using PHP
multiple choice quiz in PHP and MySQL
Import Data Into MySQL From Excel File
CRUD operations in Python using MYSQL Connector
Windows commands to Create and Run first Django app
Preventing Cross Site Request Forgeries(CSRF) in PHP
PHP code to send email using SMTP
Simple pagination in PHP
Simple PHP File Cache
PHP Connection and File Handling on FTP Server
Sending form data to an email using PHP
Recover forgot password using PHP and MySQL
How to display PDF file in PHP from database
How to read CSV file in PHP and store in MySQL
Create And Download Word Document in PHP




Read more articles


General Knowledge



Learn Popular Language