SQL Injection Prevention Techniques

PHP Intermediate 👁️ 4,373 views By system Added Just now

Multiple methods to prevent SQL injection in web applications

0
PHP Code 
<?php
// Method 1: Prepared Statements (Best)
$stmt = $pdo->prepare("SELECT * FROM users WHERE email = ? AND status = ?");
$stmt->execute([$email, $status]);
$user = $stmt->fetch();

// Method 2: Named Parameters
$stmt = $pdo->prepare("SELECT * FROM users WHERE email = :email AND status = :status");
$stmt->execute(["email" => $email, "status" => $status]);

// Method 3: MySQLi Prepared Statements
$stmt = $mysqli->prepare("SELECT * FROM users WHERE email = ?");
$stmt->bind_param("s", $email);
$stmt->execute();
$result = $stmt->get_result();

// Method 4: Escaping (Last resort - use prepared statements instead)
$safe_email = mysqli_real_escape_string($conn, $email);
$query = "SELECT * FROM users WHERE email = "$safe_email"";

// Method 5: Stored Procedures
$pdo->query("CALL GetUserByEmail(?)")->execute([$email]);

// Method 6: Input Validation
function validateEmail($email) {
    return filter_var($email, FILTER_VALIDATE_EMAIL);
}

// Method 7: Allow Listing
$allowed_columns = ["id", "name", "email"];
$order_by = in_array($_GET["sort"], $allowed_columns) ? $_GET["sort"] : "id";

// Method 8: Parameterized IN clause
$ids = [1, 2, 3];
$placeholders = implode(",", array_fill(0, count($ids), "?"));
$stmt = $pdo->prepare("SELECT * FROM users WHERE id IN ($placeholders)");
$stmt->execute($ids);

// Method 9: JSON Encoding (for NoSQL)
$data = json_encode($user_input, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_QUOT);

// Method 10: ORM Usage (Doctrine/Eloquent)
$user = User::where("email", $email)->first();

// Security Checklist:
// 1. Always use prepared statements
// 2. Validate input types (int, email, etc.)
// 3. Escape output for HTML
// 4. Use least privilege database users
// 5. Encrypt sensitive data
// 6. Log suspicious queries

Explanation

SQL injection is one of the most critical web vulnerabilities. This snippet demonstrates multiple prevention techniques, with prepared statements being the most effective. Always validate input, use parameterized queries, and never concatenate user input directly into SQL strings.