What's the Right Way to Prevent SQL Injection in PHP Scripts?

re: What's the Right Way to Prevent SQL Injection in PHP Scripts?

Mathankumar G — Thu, 07 Feb 2013 16:58:44 GMT

hi,its very useful information but its support mysql or only sql etc.,??

Thanks

re: What's the Right Way to Prevent SQL Injection in PHP Scripts?

Brian Swan - MSFT — Mon, 04 Apr 2011 03:29:15 GMT

I'd be interested to see exactly how this vulnerable to "blind SQL injection". Can you elaborate?

re: What's the Right Way to Prevent SQL Injection in PHP Scripts?

Donkey Kong — Mon, 04 Apr 2011 03:25:11 GMT

Sorry to tell you but the above code is vulnerable to blind SQL injection. You may wish to try input sanitizeation.

re: What's the Right Way to Prevent SQL Injection in PHP Scripts?

thejoester — Fri, 18 Feb 2011 22:21:53 GMT

I had a database that got hacked in this way before discovering the above solution to it I wrote the login script a tad differently, I first do a count statement that does "SELECT COUNT(username) as count FROM user_table WHERE username='$username' AND password='$password'"

then only if the count = 1 do I actually query the database with the SELECT statement to get user information. I found this way works, though there is more code and may not be as good of a solution.

Thank you!

re: What's the Right Way to Prevent SQL Injection in PHP Scripts?

Brian Swan - MSFT — Mon, 14 Feb 2011 16:17:15 GMT

@abdulsalam almekhlafi-

Feel free to re-post this article with a link back to the source.

Glad you found it helpful.

-Brian

re: What's the Right Way to Prevent SQL Injection in PHP Scripts?

abdulsalam almekhlafi — Sun, 13 Feb 2011 21:15:01 GMT

Very good article and nice explain

I want to post this article on my web site http://www.almekhlafi.com with write this site source if you no have any problem

Thankyou

re: What's the Right Way to Prevent SQL Injection in PHP Scripts?

Warjat — Mon, 23 Aug 2010 13:40:10 GMT

Great post, thanks.

I've somewhat new to PHP/SQL logins, and although I can build a login system, I always knew that I was lacking in the department of security. This brings me one step closer to make my logins more secure. Thanks!

re: What's the Right Way to Prevent SQL Injection in PHP Scripts?

Brian Swan - MSFT — Mon, 15 Mar 2010 16:39:43 GMT

@Craig: Glad to hear you are making progress. I'd be interested in the details of your final solution. You can e-mail me at brian.swan 'at' microsoft 'dot' com. Let me know if you need help with anything else.

-Brian

re: What's the Right Way to Prevent SQL Injection in PHP Scripts?

Craig Marvelley — Mon, 15 Mar 2010 15:53:06 GMT

Hi Brian,

Just wanted to let you know that I looked into your suggestions; something like that would be perfect. PDOStatement::bindParam() does have a 'data_type' parameter, but I don't think it's comparable since its not driver-specific. It didn't make a difference to my queries, anyway!

There's a generic 'driver specific options' parameter that could be suitable for something like this, but I can't find a reference to its use in the documentation or in the source of the PDO ODBC extension. Patching the extension to support a type hint through that parameter is a possibility that I'm looking into.

Cheers,

Craig

re: What's the Right Way to Prevent SQL Injection in PHP Scripts?

Brian Swan - MSFT — Tue, 09 Mar 2010 23:51:09 GMT

@Joe: Thanks for the comments. Some good food for thought. If I could generalize your comment about only using a RDBMS when you really need it, I'd say you should use the right tool for the right job. I think that rule applies to programming languages too. Personally, I've found PHP easier to pick up than Visual Basic or C#. Sometimes, being able to develop quickly fits the "right tool for the right job" requirement. And, as I learn more PHP, I'm finding that the writing secure, maintainable, well-architected code is becoming easier and easier.

-Brian