How can I prevent SQL injection in PHP?

If customer input is put without alteration right into an SQL question, after that the application comes to be at risk to SQL injection, like in the copying:

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");

That is due to the fact that the customer can input something like value'); DROP TABLE table;--, and also the question comes to be:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

What can be done to stop this from taking place?

2022-06-09 19:14:07
Source Share
Answers: 5

Use PDO and also ready questions.

($conn is a PDO object)

$stmt = $conn->prepare("INSERT INTO tbl VALUES(:id, :name)");
$stmt->bindValue(':id', $id);
$stmt->bindValue(':name', $name);
2022-06-09 19:35:25

To make use of the parameterized question, you require to make use of either Mysqli or PDO. To revise your instance with mysqli, we would certainly require something like the adhering to.

$mysqli = new mysqli("server", "username", "password", "database_name");

$variable = $_POST["user-input"];
$stmt = $mysqli->prepare("INSERT INTO table (column) VALUES (?)");
// "s" means the database expects a string
$stmt->bind_param("s", $variable);

The key function you'll intend to read up on there would certainly be mysqli::prepare.

Additionally, as others have actually recommended, you might locate it useful/easier to tip up a layer of abstraction with something like PDO.

Please keep in mind that the instance you inquired about is a rather straightforward one which even more intricate instances might call for even more intricate strategies. Specifically:

  • If you intend to modify the framework of the SQL based upon customer input, parameterized questions are not mosting likely to aid, and also the running away called for is not covered by mysql_real_escape_string. In this sort of instance, you would certainly be far better off passing the customer is input via a whitelist to make certain just 'secure' values are permitted via
2022-06-09 19:35:09

The proper means to stay clear of SQL injection strikes, despite which data source you make use of, is to divide the information from SQL , to make sure that information remains information and also will certainly never ever be analyzed as commands by the SQL parser. It is feasible to create an SQL declaration with appropriately formatted information components, yet if you do not totally recognize the information, you need to constantly make use of ready declarations and also parameterized questions. These are SQL declarations that are sent out to and also analyzed by the data source web server independently from any kind of parameters. In this manner it is difficult for an opponent to inject destructive SQL.

You primarily have 2 alternatives to attain this:

  1. Using PDO (for any kind of sustained data source vehicle driver):

    $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
    $stmt->execute([ 'name' => $name ]);
    foreach ($stmt as $row) {
        // Do something with $row
  2. Using MySQLi (for MySQL):

    $stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
    $stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
    $result = $stmt->get_result();
    while ($row = $result->fetch_assoc()) {
        // Do something with $row

If you are attaching to a data source apart from MySQL, there is a vehicle driver - details 2nd alternative that you can describe (as an example, pg_prepare() and also pg_execute() for PostgreSQL). PDO is the global alternative.

Appropriately establishing the link


Note that when making use of PDO to access a MySQL data source actual ready declarations are not made use of by default . To repair this you need to disable the emulation of ready declarations. An instance of developing a link making use of PDO is:

$dbConnection = new PDO('mysql:dbname=dbtest;host=;charset=utf8mb4', 'user', 'password');

$dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$dbConnection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

In the above instance, the mistake setting isn't purely essential, yet it is suggested to add it . In this manner PDO will certainly educate you of all MySQL mistakes using tossing the PDOException.

What is required , nonetheless, is the first setAttribute() line, which informs PDO to disable mimicked ready declarations and also make use of actual ready declarations. This sees to it the declaration and also the values aren't analyzed by PHP prior to sending it to the MySQL web server (offering a feasible opponent no opportunity to inject destructive SQL).

Although you can set the charset in the alternatives of the erector, it is necessary to keep in mind that 'older' variations of PHP (prior to 5.3.6) silently ignored the charset parameter in the DSN.


For mysqli we need to adhere to the very same regimen:

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT); // error reporting
$dbConnection = new mysqli('', 'username', 'password', 'test');
$dbConnection->set_charset('utf8mb4'); // charset


The SQL declaration you pass to prepare is analyzed and also assembled by the data source web server. By defining parameters (either a ? or a called parameter like :name in the instance over) you inform the data source engine where you intend to filter on. After that when you call execute, the ready declaration is incorporated with the parameter values you define.

The vital point below is that the parameter values are incorporated with the assembled declaration, not an SQL string. SQL injection functions by fooling the manuscript right into consisting of destructive strings when it develops SQL to send to the data source. So by sending out the real SQL independently from the parameters, you restrict the threat of winding up with something you really did not plan.

Any kind of parameters you send when making use of a ready declaration will certainly simply be dealt with as strings (although the data source engine might do some optimization so parameters might wind up as numbers also, certainly). In the instance over, if the $name variable has 'Sarah'; DELETE FROM employees the outcome would merely be a look for the string "'Sarah'; DELETE FROM employees", and also you will certainly not wind up with an empty table.

An additional advantage of making use of ready declarations is that if you execute the very same declaration sometimes in the very same session it will just be analyzed and also assembled as soon as, offering you some rate gains.

Oh, and also given that you inquired about just how to do it for an insert, below is an instance (making use of PDO):

$preparedStatement = $db->prepare('INSERT INTO table (column) VALUES (:column)');

$preparedStatement->execute([ 'column' => $unsafeValue ]);

Can prepared declarations be made use of for vibrant questions?

While you can still make use of ready declarations for the question parameters, the framework of the vibrant question itself can not be parametrized and also particular question attributes can not be parametrized.

For these details circumstances, the most effective point to do is make use of a whitelist filter that limits the feasible values.

// Value whitelist
// $dir can only be 'DESC', otherwise it will be 'ASC'
if (empty($dir) || $dir !== 'DESC') {
   $dir = 'ASC';
2022-06-09 19:35:04

I would certainly advise making use of PDO (PHP Data Objects) to run parameterized SQL questions.

Not just does this shield versus SQL injection, yet it additionally quickens questions.

And also by utilizing PDO as opposed to mysql_, mysqli_, and also pgsql_ features, you make your application a little bit extra abstracted from the data source, in the uncommon event that you need to button data source carriers.

2022-06-09 19:23:38

Security Warning : This solution is not in accordance with security ideal techniques. Escaping is inadequate to prevent SQL injection, usage prepared declarations rather. Make use of the approach laid out listed below at your very own threat.

You can do something standard similar to this:

$safe_variable = mysqli_real_escape_string($_POST["user-input"], $dbConnection);
mysqli_query($dbConnection, "INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

This will not address every trouble, yet it is a great tipping rock. I omitted noticeable things such as examining the variable is presence, layout (numbers, letters, etc).

2022-06-09 19:23:26