Before we talk about how to prevent SQL injection, we have to know the impact of SQL Injection attack which is one of the most dangerous attacks on the web.
The attacker can steal your data or even worse, the whole web server can be stolen from one SQL injection vulnerability.
I wrote this post to show you how to prevent SQL injection.
If you need to know more about SQL injection itself and its types and all other stuff, you can do a simple search on google if you want.
The solution is to clean the request parameters coming from the user.
https://likegeeks.com/prevent-sql-injection/
Thanks in advance.
Top comments (7)
@macnux mysql_real_escape_string is really bad and it's not full proof.
The only and best way to set up PHP to not have SQL injections is to use bind parameters (or well, use a simple Abstraction layer )
Using mysql_real_escape_string as the article said is used when you only have MySQL extension or MySQLi.
But if you have PDO, you can use bind parameters.
Right, but you should get rid of mysql queries as soon as possible.
Also mysqli supports bind params as well php.net/manual/ro/mysqli-stmt.bind...
For large projects, the bind parameter requires you to go to every file on your project and change the code to make it use bind_parameter, but this way all you need to do is to change your header file once for all of the project files and all of your code are secured from SQLi.
What is a header file?
The header file is the mail file which his included on all of your code files.
like head.php or up.php in some CMSes.
This header file runs on every request to your website.
I hope you got it.
Ok. You mean like a global config. I thought you meant like the classic beginner style "header.php" that contains all of the config code and database connection and html of the website layout html > head > body > header id=header