Prevent SQL injection in PHP

Language 2023-10-03 08:54:02 views: null

[Prevent SQL injection in PHP using prepared statements and PDO]

We can use prepared statements with PDO to prevent SQL injection in PHP. SQL injection occurs when a mixture of queries and data is sent to the database. In this approach, we do not specify the exact value of the data in the SQL statement. We use placeholders instead. Therefore, the parameterized SQL statement is sent to the server as the first request. We use prepare()the function to achieve this. We bind the exact values ​​of the parameters in the second request to the database server. For this we use bindValue()the function. This way we send the program on the first request and the data on the second request. If we ask for data to be used with SQL code, the user can change the program and write malicious code. Therefore, it prevents malicious SQL code from being injected into the server.

For example, table userscontains the following fields and data.

+----+-----------+----------+------------+
| id | firstname | lastname | dob        |
+----+-----------+----------+------------+
|  1 | bruce     |  rose    | 1998-02-13 |
|  2 | jeff      |  james   | 2000-03-30 |
+----+-----------+----------+------------+

It creates a variable $firstnameand assigns it a name bruce. It creates the variable $sqland writes a query on it SELECT * FROM users WHERE firstname =:fname;.

firstnameDo not write exact data values ​​for . Use parameters instead :fname. Use $pdoa variable to call a function on a query variable prepare(). Replace :fnamethe value of with the variable firstname. Use execute()the function to execute the statement. If the credentials match the database, fetch()the result is checked using the function. If so, displays the id, firstnameand for the selected row lastname.

The following example demonstrates the use of prepared statements. It firstnamestores the value of the field in a variable to verify that the credentials match. If the variable contains some malicious code, it will display a message Credentials do no match. This is because prepared()the function only accepts parameterized queries, not exact data. $pdoThe variable contains the database connection object.

Sample code:

# php 7.*
<?php
$firstname = "bruce";
$sql = "SELECT * FROM users WHERE firstname =:fname ;";
$stmt = $pdo->prepare($sql);
$stmt->bindValue(":fname", $firstname);
$stmt->execute();
if(!$result = $stmt->fetch(PDO::FETCH_OBJ)){
    
    
    echo "Credentials do no match";
} else {
    
    
    echo"Id: ".$result->id. " Name: ".$result->firstname." ".$result->lastname;
}
?>

Output:

Id: 1 Name: bruce rose

[Use parameterized query preparedstatements in PHP to prevent SQL injection]

We can prepareduse the statement with parameterized queries to prevent SQL injection in PHP. We mysqli()create the database connection using the function object. In this approach, we use the question mark symbol ?as a placeholder for data. We prepare()use the function as the above method. We use bind_param()the function to bind the real data into the placeholder. This method follows a similar working mechanism to the above method.

For example, establish a database connection, create a mysqli()function object, and assign it to a variable $conn. Assign the name jeffto the variable $firstname. Create variables $sqland write queries SELECT * FROM FROM where where first name = ?;. Use $conna variable to call a function on a query variable prepare(). Replace placeholders for use ?with variables $firstname. Use execute()the function to execute the statement. Call get_result()the function and store the result in $resulta variable. If the condition fails, check if the row has num_rowsthe attribute and use exit()the function to return a message No Rows. The method is called fetch_assoc()and stored in the variable in the while loop $row. idDisplays the , firstnameand for the selected row lastname.

Sample code:

#php 7.x
<?php
$conn = new mysqli($host, $user, $pwd, $dbName);
$firstname = "jeff";
$sql = "SELECT * FROM users WHERE firstname = ?";
$stmt = $conn->prepare($sql);
$stmt->bind_param("s", $firstname);
$stmt->execute();
$result = $stmt->get_result();
if($result->num_rows === 0) exit('No rows');
    while($row = $result->fetch_assoc()) {
    
    
    echo"Id: ".$row['id']. " Name: ".$row['firstname']." ".$row['lastname'];
}

Output:

Id: 2 Name: jeff james

[ PDO::ATTR_EMULATE_PREPARESSet the property to falseprevent SQL injection]

Using prepared statements in PDO may not be enough to prevent SQL injection if we do not set the PDO properties correctly. We should PDO::ATTR_EMULATE_PREPARESset the property to falseprevent injection. If the property is set to true, PDO will only emulate prepared statements without using them. Therefore, the system will be vulnerable to SQL injection attacks.

For example, $pdocreate a PDO connection to the database in the variable . Use this variable to call setAttribute()the function. Set the property PDO::ATTR_EMULATE_PREPARESto false.

Code example:

#php 7.x
<?php
$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, true);
?>

Guess you like

Origin blog.csdn.net/weixin_50251467/article/details/131776947
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com