Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 11How to Prevent SQL Injection in PHP
Part 1 of 2:
Understanding SQL Injection
- SQL Injection is a type of vulnerability in applications that use a SQL database. The vulnerability arises when a user input is used in a SQL Statement:
$name = $_GET['username']; $query = "SELECT password FROM tbl_user WHERE name = '$name' ";
- The value a user enters into the URL variable username will be assigned to the variable $name. It's then placed directly into the SQL statement, making it possible for the user to edit the SQL statement.
$name = "admin' OR 1=1 -- "; $query = "SELECT password FROM tbl_user WHERE name = '$name' ";
- The SQL database will then receive the SQL statement as follows:
SELECT password FROM tbl_users WHERE name = 'admin' OR 1=1 -- '
- This is valid SQL, but instead of returning one password for the user, the statement will return all the passwords in the table tbl_user. This is not something you want in your web applications.
Part 2 of 2:
Using mySQLi to Create Prepared Statements
-
Create the mySQLi SELECT Query. Use the code below to SELECT data from a table using mySQLi Prepared Statements.$name = $_GET['username']; if ($stmt = $mysqli->prepare("SELECT password FROM tbl_users WHERE name=?")) { // Bind a variable to the parameter as a string. $stmt->bind_param("s", $name); // Execute the statement. $stmt->execute(); // Get the variables from the query. $stmt->bind_result($pass); // Fetch the data. $stmt->fetch(); // Display the data. printf("Password for user %s is %sn", $name, $pass); // Close the prepared statement. $stmt->close(); }
- Note: The variable $mysqli is the mySQLi Connection Object.
-
Create the mySQLi INSERT Query. Use the code below to INSERT data into a table using mySQLi Prepared Statements.$name = $_GET['username']; $password = $_GET['password']; if ($stmt = $mysqli->prepare("INSERT INTO tbl_users (name, password) VALUES (?, ?)")) { // Bind the variables to the parameter as strings. $stmt->bind_param("ss", $name, $password); // Execute the statement. $stmt->execute(); // Close the prepared statement. $stmt->close(); }
- Note: The variable $mysqli is the mySQLi Connection Object.
- Create the mySQLi UPDATE Query. Use the code below to UPDATE data in a table using mySQLi Prepared Statements.
$name = $_GET['username']; $password = $_GET['password']; if ($stmt = $mysqli->prepare("UPDATE tbl_users SET password = ? WHERE name = ?")) { // Bind the variables to the parameter as strings. $stmt->bind_param("ss", $password, $name); // Execute the statement. $stmt->execute(); // Close the prepared statement. $stmt->close(); }
- Note: The variable $mysqli is the mySQLi Connection Object.
- Create the mySQLi DELETE Query. The below script is how to DELETE data from a table using mySQLi Prepared Statements.
$name = $_GET['username']; $password = $_GET['password']; if ($stmt = $mysqli->prepare("DELETE FROM tbl_users WHERE name = ?")) { // Bind the variable to the parameter as a string. $stmt->bind_param("s", $name); // Execute the statement. $stmt->execute(); // Close the prepared statement. $stmt->close(); }
- Note: The variable $mysqli is the mySQLi Connection Object.
5 ★ | 2 Vote
Marvin FryYou should read it
- How to retrieve a Tik Tok password when it is lost
- If ... Else in C
- How to remove PDF file password
- Check the security of the password
- Use an 8-character Windows NTLM password? Congratulations, your password may be unlocked after only 2.5 hours
- 5 best password management apps for iOS
- Has your password been leaked? Please check now
- How to Remove the Password from a Zip File Without Knowing the Password
May be interested
- What is AI Prompt Injection attack?
ai prompt injection attacks poison the output from the ai tools you rely on, changing and manipulating its output into something harmful. - Block hacker SQL Injection with ASPsql injection is a hacker 's attack tool to steal vital, vital information of vulnerable organizations and companies.
- Download the latest Joomla version to fix a serious SQL Injection vulnerabilityif your website is based on the joomla content management system make sure to update it to the latest version, which has just been released today.
- Things to know about 5 in 1 vaccines and 6 in 1 vaccinesthe purpose of the general vaccination to prevent 6 dangerous diseases in children is leukocytes, tetanus, pertussis, hib, hepatitis b and polio.
- The secret of the most special death cases in world historyin the history of the world, there are a number of special death cases that many people can not be surprised as if they do not find a vein to inject poison or after nearly two hours of new deadly poison injection ...
- How to prevent iPad from going to sleepif you have an old ipad, there are lots of great ways to use it, but the auto-sleep feature can be frustrating.
- How to prevent Windows from saving files to OneDriveonedrive is a powerful cloud storage app that comes pre-installed on both windows 10 and windows 11 computers. with onedrive, you can easily store your data in the cloud and share files across multiple devices.
- How to prevent common summer pests from entering your homeplan ahead for summer pest control so you can prevent insects from becoming a nuisance.
- How to chase mosquitoes to prevent dengue, Zika virushot and humid weather is an opportunity for mosquitoes to grow, especially in the context of the world being afraid of zika virus. what secrets do you have to prevent mosquitoes for each family member, especially for young children?
- Prevent virus infection via USBto prevent viruses from spreading via usb, you can use usb disk security software to protect your computer to always be safe when connecting to usb.
How to Create a Secure Session Management System in PHP and MySQL
How to Create a Table in MySQL
How to Install the MySQL Database Server on Your Windows PC
How to Send Sql Queries to Mysql from the Command Line
5 best SQL query optimization software to speed up MySQL
TRUNCATE TABLE statement in SQL