PHP and SQL Injection: 4 Ways to Secure Your Website

SQL injection (SQLi) is a type of attack that can allow attackers to execute malicious statements in a SQL database. 💉
This can allow them to access sensitive data or even take control of the entire database. In this post, we will see how to protect your PHP web application from SQL injection attacks.


What is SQL Injection?



SQL injection is a type of attack that can be used to exploit web applications that use an SQL database. This type of attack allows the attacker to insert malicious code into an SQL statement, which can then be executed by the database server.

In order for this type of attack to work, the attacker must first find a vulnerable web application. One of the most common ways to find vulnerable web applications is to use search engines. The attacker can use special operators to search for websites that are vulnerable to SQL injection attacks. For example, they could use the inurl operator to search for pages that contain certain terms in their URL, or the filetype operator to search for specific file types, such as SQL scripts.

Once the attacker has found a vulnerable website, they can then start crafting their malicious SQL statement. The most common way to do this is to use a UNION query. A UNION query is two or more queries that are combined into one statement. The attacker can use this type of query to inject their own code into the original query.

There are 3 types of SQL Injection, it will not be the subject of this article to explain them but I share you links to very good articles:


Example of SQL Injection

Here is a well-known example of SQL Injection where the attacker manages to inject or 1=1;-- at the end of an SQL query due to a lack of validation / user input filtering on the server side.

The or 1=1;-- part is a condition that is always true (the -- is used to comment out the end of the SQL line), which means that it will select all rows of the users table regardless of the value of the user ID. This allows a malicious person to see (or deduct in case of blind injection) all user information in the database, even if it is normally protected by an authentication or authorization system.


What are the consequences of SQL Injection?

SQL injection attacks can have serious consequences for both individuals and organizations. If successful, an attacker could gain access to sensitive information such as credit card numbers, social security numbers, and other personal information. They could also modify data in the database, delete data, or even create new users with elevated privileges.

SQL injection attacks can also be used to launch denial of service (DoS) attacks. This is done by crafting a malicious SQL statement that causes the database server to crash or consume all of its available resources. This type of attack can render a website or application unusable for legitimate users.


Prevent SQL Injection in PHP in 4 ways


Parameterized queries


Parameterized queries are a way to avoid SQL injection by ensuring that user input can only be treated as data, and not as part of the SQL query. This is done by using placeholder values in the SQL query, which are then replaced with the actual values at runtime.

For example, let's say we have a form on our website that allows users to enter their name and email address. We could use a parameterized query to insert this data into our database, like so:

INSERT INTO users (name, email) VALUES (?, ?)

Notice that we've used two question marks as placeholder values for our name and email parameters. We can then use the PDO::prepare() method to prepare our SQL query:

$stmt = $pdo->prepare('INSERT INTO users (name, email) VALUES (?, ?)');

Finally, we can execute our query and pass in the values for our name and email parameters:

$stmt->execute([$name, $email]);


Escape special characters.


Another way to protect against SQL injection is to escape special characters in user input before adding it to your database.
For example, if we have a form on our website that allows users to search for posts by keyword, we could use the mysql_real_escape_string() function to escape any special characters in the keywords before doing the search:

$keywords = mysql_real_escape_string($_GET['keywords']);

$sql = "SELECT * FROM posts WHERE title LIKE '%".$keywords."%'";


Use a whitelist.


A third way to protect against SQL injection is to use a whitelist of approved characters in user input.
For example, if we have a form on our website that allows users only enter alphanumeric characters (letters and numbers), we could use the ctype_alnum() function to check if the input contains any other characters:

if (!ctype_alnum($input)) { 
  die("Error: Only alphanumeric characters are allowed."); 


Limit user input


A fourth way to protect against SQL injection is to limit the amount of user input that you allow.
For example, if we have a form on our website that allows users to enter their name, email address, and password, we could use the strlen() function to check if the length of the input is greater than what we're expecting:

if (strlen($input) > 255) { 
  die("Error: Input must be less than 255 characters."); 




SQL injection is a serious security threat that can have devastating consequences. Websites using PHP are especially vulnerables to SQL injection attacks.
However, there are steps you can take to protect your website. By using parameterized queries, escaping special characters, using a whitelist or by limiting user's inputs, you can make your code invincible to SQL injection attacks.


Discover related posts

0 comment