Home/ Questions/Q 4105864
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T21:18:10+00:00

How do i secure my site to SQL injection attacks? Im using PHP and

  • 0

How do i secure my site to SQL injection attacks? Im using PHP and mysql. Do i have to alter my mysql Query?

For example, i have one query like this:

<?php
$q=$_GET["q"];// im getting the Q value from the other form,from drop down box[displaying data using Ajax
$a1=$_POST['hosteladmissionno'];
$a2=$_POST['student_name'];
$a3=$_POST['semester'];
$con = mysql_connect('localhost', 'root', '');
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("hostel", $con);

$a1="SELECT  hosteladmissionno,student_name,semester FROM registration 
WHERE mess_type ".$q."' AND  status_flag=1";

$result = mysql_query($a1);

if ($result === false) {

    die(mysql_error());
}
echo "<table border='1' width=80%>
<tr>
 <th width=5%> S.No</th>
<th width=10%>H.Admin No</th>
<th width=10%>Student Name</th>
<th width=5%>No of Days</th>
</tr>";
 $i=0;
while($row = mysql_fetch_array($result))
  {
  $i=$i+1;
  echo "<tr>";
  echo "<td  align=center>" .$i."</td>";
  echo "<td size=10 align=center>" . $row['hosteladmissionno'] . "</td>";
  echo "<td size=35  align=center>" . $row['student_name'] . "</td>";
  echo "<td  align=center>  <input type='text' name='days' size=2> </td> ";
  echo "</tr>";
  }
echo "</table>";

mysql_close($con);
?>

Do i have to include any alteration in my query to avoid Injection attacks? Any suggestion would be helpful.Thanks in advance. Cheers!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Your query appears (EDIT: appeared, in the first version of the query) to be entirely static – i.e. it doesn’t use any user-supplied data. In that case, there’s no risk of SQL injection.

    SQL injection attacks involve taking user input and including that directly in a SQL query, instead of the preferred method of using a parameterized SQL statement and including user-supplied values that way. (I don’t know the details of how that’s done in PHP… I certainly hope it’s possible.)

    EDIT: Okay, now you’ve changed your code, including this:

    $a1="SELECT  hosteladmissionno,student_name,semester FROM registration 
WHERE mess_type ".$q."' AND  status_flag=1";

    Where $q is retrieved from a text box. Now I assume you really meant the second line to be:

    WHERE mess_type='".$q."' AND  status_flag=1";

    But that’s still vulnerable to SQL injection attack. Suppose the value of q is:

    ' OR 'x'='x

    Your SQL statement would then end up as

    SELECT hosteladmissionno,student_name,semester FROM registration 
WHERE mess_type='' OR 'x'='x' AND  status_flag=1

    which clearly isn’t the logic you’re after.

    You should use parameters for the values, as shown on this PHP prepared statement page.

    • 0