Revisions to How can I prevent SQL injection in PHP?

given code examples make no sense and this question got so big score regardless, they can be safely removed

Source Link

edited Jul 17, 2023 at 5:27

Your Common Sense

157.6k
42
220
354

I believe that if someone intends to utilize PHP along with MySQL or any other database server:

Consider exploring PDO (PHP Data Objects) - an invaluable database access layer that offers a consistent approach to accessing various databases. 1: https://php.net/manual/en/book.pdo.php
Consider delving into MySQLiMySQLi, which is an excellent option for learning and utilizing MySQL databases.

Libraries examples:

---- PDO

----- No placeholders - ripe for SQL injection! It's bad

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) values ($name, $addr, $city)");

----- Unnamed placeholders

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) values (?, ?, ?);

----- Named placeholders

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) value (:name, :addr, :city)");

--- MySQLi

$request = $mysqliConnection->prepare('
       SELECT * FROM trainers
       WHERE name = ?
       AND email = ?
       AND last_login > ?');

    $query->bind_param('first_param', 'second_param', $mail, time() - 3600);
    $query->execute();

P.S:

PDO wins this battle with ease. Withhas such advantages as support for twelve different different database drivers and named parameters, we can get used to its API. From a security standpoint, both of them are safe as long as the developer uses them the way they are supposed to be used

I believe that if someone intends to utilize PHP along with MySQL or any other database server:

Consider exploring PDO (PHP Data Objects) - an invaluable database access layer that offers a consistent approach to accessing various databases. 1: https://php.net/manual/en/book.pdo.php
Consider delving into MySQLi, which is an excellent option for learning and utilizing MySQL databases.

Libraries examples:

---- PDO

----- No placeholders - ripe for SQL injection! It's bad

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) values ($name, $addr, $city)");

----- Unnamed placeholders

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) values (?, ?, ?);

----- Named placeholders

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) value (:name, :addr, :city)");

--- MySQLi

$request = $mysqliConnection->prepare('
       SELECT * FROM trainers
       WHERE name = ?
       AND email = ?
       AND last_login > ?');

    $query->bind_param('first_param', 'second_param', $mail, time() - 3600);
    $query->execute();

P.S:

PDO wins this battle with ease. With support for twelve different database drivers and named parameters, we can get used to its API. From a security standpoint, both of them are safe as long as the developer uses them the way they are supposed to be used

I believe that if someone intends to utilize PHP along with MySQL or any other database server:

Consider exploring PDO (PHP Data Objects) - an invaluable database access layer that offers a consistent approach to accessing various databases.
Consider delving into MySQLi, which is an excellent option for learning and utilizing MySQL databases.

P.S:

PDO has such advantages as support for twelve different database drivers and named parameters. From a security standpoint, both of them are safe as long as the developer uses them the way they are supposed to be used

added 144 characters in body

Source Link

edited Jul 16, 2023 at 22:03

RDK

4.5k
2
21
30

I thinkbelieve that if someone wantsintends to useutilize PHP andalong with MySQL or someany other dataBasedatabase server:

Think about learningConsider exploring PDO (PHP Data Objects) – it is a- an invaluable database access layer providingthat offers a uniform method of accessconsistent approach to multipleaccessing various databases. 1: https://php.net/manual/en/book.pdo.php
Think aboutConsider delving into MySQLi, which is an excellent option for learning MySQLiand utilizing MySQL databases.

Libraries examples:

---- PDO

----- No placeholders - ripe for SQL injection! It's bad

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) values ($name, $addr, $city)");

----- Unnamed placeholders

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) values (?, ?, ?);

----- Named placeholders

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) value (:name, :addr, :city)");

--- MySQLi

$request = $mysqliConnection->prepare('
       SELECT * FROM trainers
       WHERE name = ?
       AND email = ?
       AND last_login > ?');

    $query->bind_param('first_param', 'second_param', $mail, time() - 3600);
    $query->execute();

P.S:

PDO wins this battle with ease. With support for twelve different database drivers and named parameters, we can get used to its API. From a security standpoint, both of them are safe as long as the developer uses them the way they are supposed to be used

I think if someone wants to use PHP and MySQL or some other dataBase server:

Think about learning PDO (PHP Data Objects) – it is a database access layer providing a uniform method of access to multiple databases.
Think about learning MySQLi

Libraries examples:

---- PDO

----- No placeholders - ripe for SQL injection! It's bad

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) values ($name, $addr, $city)");

----- Unnamed placeholders

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) values (?, ?, ?);

----- Named placeholders

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) value (:name, :addr, :city)");

--- MySQLi

$request = $mysqliConnection->prepare('
       SELECT * FROM trainers
       WHERE name = ?
       AND email = ?
       AND last_login > ?');

    $query->bind_param('first_param', 'second_param', $mail, time() - 3600);
    $query->execute();

P.S:

PDO wins this battle with ease. With support for twelve different database drivers and named parameters, we can get used to its API. From a security standpoint, both of them are safe as long as the developer uses them the way they are supposed to be used

I believe that if someone intends to utilize PHP along with MySQL or any other database server:

Consider exploring PDO (PHP Data Objects) - an invaluable database access layer that offers a consistent approach to accessing various databases. 1: https://php.net/manual/en/book.pdo.php
Consider delving into MySQLi, which is an excellent option for learning and utilizing MySQL databases.

Libraries examples:

---- PDO

----- No placeholders - ripe for SQL injection! It's bad

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) values ($name, $addr, $city)");

----- Unnamed placeholders

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) values (?, ?, ?);

----- Named placeholders

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) value (:name, :addr, :city)");

--- MySQLi

$request = $mysqliConnection->prepare('
       SELECT * FROM trainers
       WHERE name = ?
       AND email = ?
       AND last_login > ?');

    $query->bind_param('first_param', 'second_param', $mail, time() - 3600);
    $query->execute();

P.S:

PDO wins this battle with ease. With support for twelve different database drivers and named parameters, we can get used to its API. From a security standpoint, both of them are safe as long as the developer uses them the way they are supposed to be used

remove bad advice

Source Link

edited May 13, 2022 at 21:18

miken32

42.6k
16
119
164

I think if someone wants to use PHP and MySQL or some other dataBase server:

Think about learning PDO (PHP Data Objects) – it is a database access layer providing a uniform method of access to multiple databases.
Think about learning MySQLi
Use native PHP functions like: strip_tags, mysql_real_escape_string or if variable numeric, just (int)$foo. Read more about type of variables in PHP here. If you're using libraries such as PDO or MySQLi, always use PDO::quote() and mysqli_real_escape_string().

Libraries examples:

---- PDO

----- No placeholders - ripe for SQL injection! It's bad

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) values ($name, $addr, $city)");

----- Unnamed placeholders

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) values (?, ?, ?);

----- Named placeholders

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) value (:name, :addr, :city)");

--- MySQLi

$request = $mysqliConnection->prepare('
       SELECT * FROM trainers
       WHERE name = ?
       AND email = ?
       AND last_login > ?');

    $query->bind_param('first_param', 'second_param', $mail, time() - 3600);
    $query->execute();

P.S:

PDO wins this battle with ease. With support for twelve different database drivers and named parameters, we can ignore the small performance loss, and get used to its API. From a security standpoint standpoint, both of them are safe as long as the developer uses them the the way they are supposed to be used

But while both PDO and MySQLi are quite fast, MySQLi performs insignificantly faster in benchmarks – ~2.5% for non-prepared statements, and ~6.5% for prepared ones.

And please test every query to your database - it's a better way to prevent injection.

I think if someone wants to use PHP and MySQL or some other dataBase server:

Think about learning PDO (PHP Data Objects) – it is a database access layer providing a uniform method of access to multiple databases.
Think about learning MySQLi
Use native PHP functions like: strip_tags, mysql_real_escape_string or if variable numeric, just (int)$foo. Read more about type of variables in PHP here. If you're using libraries such as PDO or MySQLi, always use PDO::quote() and mysqli_real_escape_string().

Libraries examples:

---- PDO

----- No placeholders - ripe for SQL injection! It's bad

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) values ($name, $addr, $city)");

----- Unnamed placeholders

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) values (?, ?, ?);

----- Named placeholders

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) value (:name, :addr, :city)");

--- MySQLi

$request = $mysqliConnection->prepare('
       SELECT * FROM trainers
       WHERE name = ?
       AND email = ?
       AND last_login > ?');

    $query->bind_param('first_param', 'second_param', $mail, time() - 3600);
    $query->execute();

P.S:

PDO wins this battle with ease. With support for twelve different database drivers and named parameters, we can ignore the small performance loss, and get used to its API. From a security standpoint, both of them are safe as long as the developer uses them the way they are supposed to be used

But while both PDO and MySQLi are quite fast, MySQLi performs insignificantly faster in benchmarks – ~2.5% for non-prepared statements, and ~6.5% for prepared ones.

And please test every query to your database - it's a better way to prevent injection.

I think if someone wants to use PHP and MySQL or some other dataBase server:

Think about learning PDO (PHP Data Objects) – it is a database access layer providing a uniform method of access to multiple databases.
Think about learning MySQLi

Libraries examples:

---- PDO

----- No placeholders - ripe for SQL injection! It's bad

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) values ($name, $addr, $city)");

----- Unnamed placeholders

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) values (?, ?, ?);

----- Named placeholders

$request = $pdoConnection->("INSERT INTO parents (name, addr, city) value (:name, :addr, :city)");

--- MySQLi

$request = $mysqliConnection->prepare('
       SELECT * FROM trainers
       WHERE name = ?
       AND email = ?
       AND last_login > ?');

    $query->bind_param('first_param', 'second_param', $mail, time() - 3600);
    $query->execute();

P.S:

PDO wins this battle with ease. With support for twelve different database drivers and named parameters, we can get used to its API. From a security standpoint, both of them are safe as long as the developer uses them the way they are supposed to be used

Post Made Community Wiki by animuson♦

occurred Jul 7, 2017 at 14:55

Copy edited.

Source Link

edited Jul 16, 2014 at 2:27

Peter Mortensen

31.3k
22
109
132

Loading

added 1896 characters in body

Source Link

edited Oct 16, 2013 at 20:28

RDK

4.5k
2
21
30

Loading

Source Link

created Oct 10, 2012 at 14:53

RDK

4.5k
2
21
30

Loading

Collectives™ on Stack Overflow

Return to Answer