Home/ Questions/Q 6899315
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T07:24:24+00:00

Possible Duplicate: Best way to stop SQL Injection in PHP Recently, I got my

  • 0

Possible Duplicate:
Best way to stop SQL Injection in PHP

Recently, I got my database wiped through a hacker inserting a DROP table command through a signup form.

This annoyed me and got me thinking:

How can I prevent mysql injection in php, before the information is sent to the database, e.g is there a way to detect that the user is trying to inject bad code into the database that can wipe it, and if so, detect it and display an error?

Also, is there a way to detect the mysql injection after it has been added, so when I am displaying the query, if it is the delete injection code, don’t display it.

Thanks again, I apologise for any waffle.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Use either PDO or Mysqli with the binding syntax. This alone will prevent most injection attacks.

    Example:

        $stmt = $db->prepare(
                'UPDATE users ' .
                'SET userEmail=:email, userSalt=:salt, userPass=:pass ' .
                'WHERE userId=:userId LIMIT 1' );
    $stmt->bindParam( ':email',  $this->_email,    \PDO::PARAM_STR );
    $stmt->bindParam( ':salt',   $this->_salt,     \PDO::PARAM_STR );
    $stmt->bindParam( ':pass',   $this->_password, \PDO::PARAM_STR );
    $stmt->bindParam( ':userId', $this->_id,       \PDO::PARAM_INT );
    $stmt->execute();

    In the above example, trying to escape the :email binding to insert a DROP TABLE won’t work.

    You still need to be careful with user-provided data. For instance, if the user provides a $docId for a get document query, make sure they’re authorized for the document being requested. (And not just guessing a $docId belonging to some other user).

    • 0