Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/content/f/e/r/ferasferas1/html/scriptslibrary/libraries/joomla/database/database.php:2) in /home/content/f/e/r/ferasferas1/html/scriptslibrary/libraries/joomla/session/session.php on line 423

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/content/f/e/r/ferasferas1/html/scriptslibrary/libraries/joomla/database/database.php:2) in /home/content/f/e/r/ferasferas1/html/scriptslibrary/libraries/joomla/session/session.php on line 423

Warning: Cannot modify header information - headers already sent by (output started at /home/content/f/e/r/ferasferas1/html/scriptslibrary/libraries/joomla/database/database.php:2) in /home/content/f/e/r/ferasferas1/html/scriptslibrary/libraries/joomla/session/session.php on line 426

Warning: Cannot modify header information - headers already sent by (output started at /home/content/f/e/r/ferasferas1/html/scriptslibrary/libraries/joomla/database/database.php:2) in /home/content/f/e/r/ferasferas1/html/scriptslibrary/templates/ja_purity/ja_templatetools.php on line 49
Prevent SQL Injection with PHP and MySQL - The Scripts Library Community

Free Programming Tutorials & Source Code

 
  • Increase font size
  • Default font size
  • Decrease font size
Home PHP Prevent SQL Injection with PHP and MySQL

Prevent SQL Injection with PHP and MySQL

Tuesday, 16 June 2009 18:30 Feras PHP Snippets
E-mail
(1 vote, average: 5.00 out of 5)
Nowadays websites security became the first concern of websites owners. Lots of malicious hackers try to get into online databases to ruin or steal information. You have to put in mind that a website without security is likely to get attacked or hacked, oven if you think that no one is interesting to do so!

SQL injection is a well-known way to attack used to get, insert, delete or update data from a particular database. Without security, your data is on high risk and might get lost or changed. This kind of attack is done thought the user input in the browser, POST and GET. Before you publish your website, you have to test it against SQL injection attacks to prevent any future failure.

How to prevent SQL injections attacks? By using sanitized input data before a sql query being executed. In PHP, there are two function to sanitize user/browser input: addslashes and mysql_real_escape_string.

Here is a function that sanitizes input data before using it in a sql query:
  
Function clean_sql_query($string)  
{ 
 if(get_magic_quotes_gpc()) // prevents duplicate backslashes 
{ 
$string = stripslashes($string); 
} 
if (phpversion() >= '4.3.0') 
{ 
$string = mysql_real_escape_string($string); 
} 
else{ 
$string = mysql_escape_string($string); 
} return $string; 
}

This function can be used in the following format from a form: 
if (isset($_POST[‘ID'])) $ID = clean_sql_query($_POST['ID']);


Or use it inside an sql query: 
 SELECT * FROM Users WHERE ID = '".clean_sql_query ($ID)."' "


Step by step explanation
First is to check if the is On from php ini file, then the POST, GET and COOKIES data is automatically escaped. Then, we need to remove all slashes from the $string variable using the stripslashes function.
Depending on the php version, it applies the mysql_real_escape_string or mysql_escape_string to the $string variable.

What does mysql_real_escape_string do?
mysql_real_escape_string prepends back slashes to the following characters: \n, \r, \, \x00, \x1a, ‘ and “. Thus, it will be ignored by the database.

Example:
After assigning the function to the input data, the query:
SELECT * FROM Users WHERE ID = 1)

Will look like:
 SELECT * FROM items WHERE ID = '\' OR \'1\' = \'1'
Which is invalid and gonna be ignored by the database.

Without using the mysql_real_escape_string, this query will be valid for the database, so any user can use it to mess with your database.