Timeline for How can I prevent SQL injection in PHP?
Current License: CC BY-SA 4.0
82 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| May 4 at 20:14 | comment | added | Adamssef | I might have misunderstood the comment from @donis, but from what I see, prepared statements are actually good for database performance. I don't quite understand where the '10x performance hit' comes from, but it sounds a bit off to me. One of the major benefits of prepared statements is efficiency, as "they can be used repeatedly without being recompiled". | |
| Jul 23, 2023 at 22:29 | history | notice added | Phil | Recommended answer in PHP | |
| Jul 23, 2023 at 22:29 | history | notice removed | Phil | Recommended answer in PHP | |
| Jul 20, 2023 at 17:11 | history | notice added | Abdulla Nilam | Recommended answer in PHP | |
| Jun 8, 2023 at 11:52 | history | edited | Your Common Sense | CC BY-SA 4.0 |
formatting
|
| Dec 11, 2022 at 16:20 | history | edited | WebDevPassion | CC BY-SA 4.0 |
Added information about new method mysqli_execute() from PHP 8.2 upwards
|
| May 4, 2022 at 5:07 | review | Suggested edits | |||
| May 4, 2022 at 15:27 | |||||
| Mar 27, 2022 at 9:08 | history | edited | Your Common Sense | CC BY-SA 4.0 |
added 314 characters in body
|
| Mar 27, 2022 at 8:29 | history | edited | xXx | CC BY-SA 4.0 |
code reformated and grammar fixed
|
| Mar 10, 2022 at 7:23 | history | edited | Your Common Sense | CC BY-SA 4.0 |
I believe error handling details are redundant here
|
| Sep 1, 2021 at 10:34 | history | edited | Dharman♦ | CC BY-SA 4.0 |
We never encode anything. We can format data as part of SQL, but it is going to be encoded the same way.
|
| S Aug 31, 2021 at 23:47 | history | suggested | user16661813 | CC BY-SA 4.0 |
Formatting
|
| Aug 31, 2021 at 19:40 | review | Suggested edits | |||
| S Aug 31, 2021 at 23:47 | |||||
| Jun 28, 2021 at 10:43 | history | edited | Mikko Rantalainen | CC BY-SA 4.0 |
Explain that the real point is *encoding* the data and prepared statements is the recommended way of doing that
|
| May 27, 2021 at 14:45 | history | edited | user14185615 | CC BY-SA 4.0 |
improved formatting
|
| Apr 6, 2021 at 18:32 | history | rollback | Your Common Sense |
Rollback to Revision 51
|
|
| Apr 6, 2021 at 18:06 | history | edited | 6opko | CC BY-SA 4.0 |
added 334 characters in body
|
| Sep 23, 2020 at 22:40 | review | Suggested edits | |||
| Sep 24, 2020 at 6:39 | |||||
| Jun 6, 2020 at 15:28 | history | edited | mufazmi | CC BY-SA 4.0 |
improve post
|
| Jun 6, 2020 at 15:27 | history | rollback | mufazmi |
Rollback to Revision 48
|
|
| Apr 19, 2020 at 18:14 | history | rollback | Your Common Sense |
Rollback to Revision 47
|
|
| Apr 19, 2020 at 17:33 | history | edited | XCore | CC BY-SA 4.0 |
More info about SQL injection and how to prevent it
|
| Feb 26, 2020 at 15:23 | history | edited | Mark | CC BY-SA 4.0 |
added 54 characters in body
|
| Feb 20, 2020 at 16:05 | history | edited | germanfr | CC BY-SA 4.0 |
Use newer syntax
|
| Jul 15, 2019 at 12:41 | history | edited | Peter Mortensen | CC BY-SA 4.0 |
Active reading.
|
| Feb 25, 2019 at 22:52 | history | rollback | Dharman♦ |
Rollback to Revision 42
|
|
| Feb 20, 2019 at 4:57 | history | edited | Top-Master | CC BY-SA 4.0 |
makes clear that the SQL injection will fail
|
| Mar 3, 2018 at 15:27 | history | rollback | vaultah |
Rollback to Revision 40
|
|
| Mar 1, 2018 at 1:14 | history | edited | whackamadoodle3000 | CC BY-SA 3.0 |
added 2988 characters in body
|
| Dec 28, 2017 at 12:51 | history | edited | Daniel Lemke | CC BY-SA 3.0 |
added comment to indicate what the 's' stands for in bind_param()
|
| Dec 25, 2017 at 14:36 | history | edited | Nae | CC BY-SA 3.0 |
Improved grammar
|
| Jul 23, 2017 at 13:56 | history | edited | Cœur | CC BY-SA 3.0 |
small letters
|
| Jul 7, 2017 at 14:55 | history | made wiki | Post Made Community Wiki by animuson♦ | ||
| Dec 20, 2016 at 14:51 | history | edited | Will B. | CC BY-SA 3.0 |
fixed use-case scenario for strict DESC/ASC, since !empty could result in any value
|
| Nov 18, 2016 at 8:54 | comment | added | donis | This answer lacks the explanation of what is a prepared statement - one thing - it's a performance hit if you use a lot of prepared statements during your request and sometimes it accounts for 10x performance hit. Better case would be use PDO with parameter binding off, but statement preparation off. | |
| Jan 24, 2016 at 15:08 | comment | added | AbbasAli Hashemian | This is a bad habit but is a post-problem solution : Not only for SQL injection but for any type of injections (for example there was a view template injection hole in F3 framework v2) if you have a ready old website or app is suffering from injection defects , one solution is to reassign the values of your supperglobal predefined vars like $_POST with escaped values at bootstrap. By PDO, still it is possible to escape (also for today frameworks) : substr($pdo->quote($str, \PDO::PARAM_STR), 1, -1) | |
| Jan 19, 2016 at 17:40 | comment | added | Randall Valenciano | Also, the official documentation of mysql_query only allows to execute one query, so any other query besides ; is ignored. Even if this is already deprecated there are a lot of systems under PHP 5.5.0 and that may use this function. php.net/manual/en/function.mysql-query.php | |
| Sep 26, 2015 at 5:54 | history | edited | Your Common Sense | CC BY-SA 3.0 |
Removed nonsense
|
| Jun 17, 2015 at 8:37 | history | rollback | Florian Margaine |
Rollback to Revision 33
|
|
| Jun 9, 2015 at 1:22 | history | edited | Scott Arciszewski | CC BY-SA 3.0 |
There are cleaner ways to do prepared statements.
|
| Jun 9, 2015 at 1:07 | history | edited | Scott Arciszewski | CC BY-SA 3.0 |
MySQL isn't the only RDBMS; also, explain dynamic queries.
|
| Jun 9, 2015 at 0:52 | history | edited | Scott Arciszewski | CC BY-SA 3.0 |
Be explicit about RDBMS's other than MySQL
|
| Jan 22, 2015 at 18:56 | history | edited | Daryl Gill | CC BY-SA 3.0 |
added 2 characters in body
|
| Dec 19, 2014 at 9:05 | history | edited | PeeHaa | CC BY-SA 3.0 |
added 64 characters in body
|
| May 30, 2014 at 18:26 | history | edited | Peter Mortensen | CC BY-SA 3.0 |
Grammar. Spelling/case (ref. <https://en.wikipedia.org/wiki/MySQLi>).
|
| May 6, 2014 at 10:59 | history | edited | Mau | CC BY-SA 3.0 |
corrected sql syntax (* not needed in delete statements)
|
| Dec 17, 2013 at 21:13 | history | edited | Chris Cooper | CC BY-SA 3.0 |
added 3 characters in body
|
| Oct 31, 2013 at 21:06 | history | edited | Naftali | CC BY-SA 3.0 |
fixed spacing
|
| S Oct 31, 2013 at 10:56 | history | suggested | Joran Den Houting | CC BY-SA 3.0 |
Edited with code tags
|
| Oct 31, 2013 at 10:07 | review | Suggested edits | |||
| S Oct 31, 2013 at 10:56 | |||||
| Oct 25, 2013 at 9:12 | history | edited | PeeHaa | CC BY-SA 3.0 |
deleted 2 characters in body
|
| Aug 26, 2013 at 10:15 | review | Suggested edits | |||
| Aug 26, 2013 at 10:29 | |||||
| Jun 6, 2013 at 16:12 | history | bounty ended | chrislondon | ||
| Jun 5, 2013 at 16:12 | review | Suggested edits | |||
| Jun 5, 2013 at 16:14 | |||||
| May 29, 2013 at 8:57 | history | edited | koopajah | CC BY-SA 3.0 |
replaced the by to
|
| May 26, 2013 at 7:11 | history | edited | jprofitt | CC BY-SA 3.0 |
Minor clarification
|
| Feb 21, 2013 at 12:33 | review | Suggested edits | |||
| Feb 21, 2013 at 12:39 | |||||
| Nov 16, 2012 at 17:03 | history | edited | Olaf Dietsche | CC BY-SA 3.0 |
Fixed a typo
|
| Aug 22, 2012 at 13:00 | history | wiki removed | Bill the Lizard | ||
| Aug 20, 2012 at 20:59 | history | edited | PeeHaa | CC BY-SA 3.0 |
added 15 characters in body
|
| Aug 20, 2012 at 19:28 | history | rollback | PeeHaa |
Rollback to Revision 17
|
|
| Aug 6, 2012 at 15:29 | history | edited | Madara's Ghost | CC BY-SA 3.0 |
added 1 characters in body
|
| Jun 10, 2012 at 14:38 | history | edited | PeeHaa | CC BY-SA 3.0 |
Removed the imho subjective change that pdo is better
|
| Jun 7, 2012 at 19:42 | history | edited | Madara's Ghost | CC BY-SA 3.0 |
Quick reformatting, may have some more in the future.
|
| S May 31, 2012 at 15:46 | history | suggested | user529649 | CC BY-SA 3.0 |
nickpicking. and a typo ?
|
| May 31, 2012 at 13:12 | review | Suggested edits | |||
| S May 31, 2012 at 15:46 | |||||
| May 25, 2012 at 23:37 | history | edited | NikiC | CC BY-SA 3.0 |
Ooops, revert accidential change of word
|
| May 24, 2012 at 21:41 | history | edited | NikiC | CC BY-SA 3.0 |
Put the PDO and mysqli code snippets at the top
|
| May 24, 2012 at 21:30 | history | edited | NikiC | CC BY-SA 3.0 |
Put the PDO and mysqli code snippets at the top
|
| May 24, 2012 at 18:52 | history | edited | PeeHaa | CC BY-SA 3.0 |
added 24 characters in body
|
| May 24, 2012 at 18:17 | history | edited | PeeHaa | CC BY-SA 3.0 |
added 274 characters in body
|
| May 24, 2012 at 17:46 | history | edited | PeeHaa | CC BY-SA 3.0 |
added 96 characters in body
|
| May 24, 2012 at 17:41 | history | edited | PeeHaa | CC BY-SA 3.0 |
added 96 characters in body
|
| May 24, 2012 at 17:34 | history | edited | PeeHaa | CC BY-SA 3.0 |
added 96 characters in body
|
| May 24, 2012 at 17:25 | history | edited | PeeHaa | CC BY-SA 3.0 |
added 593 characters in body
|
| May 24, 2012 at 17:13 | history | edited | PeeHaa | CC BY-SA 3.0 |
added 593 characters in body
|
| Apr 5, 2012 at 3:21 | history | edited | Dave Jarvis | CC BY-SA 3.0 |
added 4 characters in body
|
| Jan 29, 2012 at 19:21 | history | edited | Levi Morrison | CC BY-SA 3.0 |
Improved formatting and correctness. Also added a small note about `mysqli`
|
| Jul 14, 2011 at 15:23 | review | Suggested edits | |||
| Jul 14, 2011 at 16:17 | |||||
| Nov 6, 2009 at 20:30 | history | edited | Theo | CC BY-SA 2.5 |
Fixed a link
|
| Nov 20, 2008 at 19:56 | vote | accept | Andrew G. Johnson | ||
| Sep 13, 2008 at 12:30 | history | answered | Theo | CC BY-SA 2.5 |