Click here to Skip to main content
15,883,278 members
Articles / Web Development / IIS

How to Protect from SQL Injection in PhP based website

Rate me:
Please Sign up or sign in to vote.
3.80/5 (6 votes)
20 Jun 2012CPOL2 min read 39.4K   7   7
How to Protect from SQL Injection in PhP based website

How to Protect from SQL Injection in PHP Based Website

One of the common methods that are being used by hackers is SQL INJECTION.

Sites get hacked by the sql injection due to the loop hole that is left by developers most of the times while developing a web application. I will be explaining you today how to avoid SQL INJECTION when you are developing a web application with PHP. I will be explaining with the help of an example, suppose we have text fields on our form

  1. User Name
  2. Password

and a login button.

When we login, the validation for the valid user is checked on the back-end. If the user is a valid user, he logs into the system else an error message "incorrect username or password" is shown.

What happens on the back-end,

$password =$_POST[‘password’];
$sqlQuery="select * from users where user_name= ‘".$userName."’ and user_password= ‘".$password."’ ;  ";

This is where the developer has left a loop hole if instead of password I enter  ‘ or ‘a’=’a  the password field has the value

$password is  ‘or ‘a’=’a

Lets place this value in query and the query becomes

$sqlQuery="select * from users where user_name= ‘".$userName."’ and user_password=’ ‘or ‘a’=’a’;   ";

You can see clearly, password doesn’t match but the other statement a=a matches so OR operator will work and the user will login into the system without knowing the actual password. I can even give you the names of some famous websites where you can inject sql or use this technique.

How to Avoid It

Don’t treat the field values as mentioned above

Use this function

function BlockSQL Injection($str){

return str_replace(array("'",""","'",'"'), array("'",""","'","""), $str);

This will replace the characters( that can break the string) in the string.

So you can use this function as

$userName= BlockSQL Injection ($_POST[‘userName’]);
$password = BlockSQL Injection ($_POST[‘password’]);

Now the hacker wont be able to break the QUERY STRING.

We have many frameworks in PHP that provide this functionality such as quotes_to_entities($string) in CODE IGNITER.

Use some desgin pattern when you are building a big application, model, controller, your view layers and DAO (data access object layer) must be implemented to make it losely coupled and extensible.

A huge number of sites have been developed in core php, where we don’t use any framework. Wordpress is very secure but when it comes to PLUGINS (that we donwload and use), they can have the loop holes inside them. Stay alert while developing web applications, you never know when you are gonna get hacked. Stay blessed!

Good Luck !



This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Written By
India India
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.

Comments and Discussions

QuestionWordpress plugins Pin
Member 1094055211-Jul-14 6:20
Member 1094055211-Jul-14 6:20 
GeneralMy vote of 5 Pin
gndnet12-Jul-12 5:10
gndnet12-Jul-12 5:10 
Bug[My vote of 1] A very bad idea Pin
jakubmacek22-Jun-12 4:20
jakubmacek22-Jun-12 4:20 
GeneralMy vote of 1 Pin
imagiro20-Jun-12 21:43
imagiro20-Jun-12 21:43 
GeneralMy vote of 5 Pin
Farhan Ghumra20-Jun-12 20:21
professionalFarhan Ghumra20-Jun-12 20:21 
GeneralRe: My vote of 5 Pin
Onskee122-Jun-12 10:42
Onskee122-Jun-12 10:42 
GeneralNot very inclusive Pin
Onskee120-Jun-12 5:40
Onskee120-Jun-12 5:40 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.