How can I prevent SQL-injection in PHP?

Question: What is SQL Injection?
SQL injection is a code injection technique, which is used to attack on database driven applications. In this malicious SQL statements are inserted into an database query.


Question: How attackers attack on website with SQL Injection?
With use SQL Injection, attacker/hackers attack on web application's table/database.

For Example, Lets have a Web login-form where visitor enter the username and password to login in system.
Attacker use the special characters (i.e '"!@#$%^&*()_+)  in Web login-form, to attack the websites


What can attackers do with SQL Injection?
Below are couples of ways an attacker can harm our website.

1. After submit the form, these special character mix the query and break the query, due to this an page will be crash. In this case attacker may able to see the queryies printed in browser(If debug mode is not off).
2. They may use combination of special-characters due to which they may able to login in our system without having valid login.
3. They may able to see list of users in our database
4. They may delete record or table

How we can prevent with SQL Injection
We must filter data entered by user before saving in database OR using in SQL query.
If you are able to escaping the string, then you are able to prevent your website from SQL attack.

Following are few different ways to prevent SQL Injection in PHP, Use any of below:
Use a PHP Function For PHP 5.4

$safeData = mysql_real_escape_string($_POST["user-input"]);
mysql_query("INSERT INTO table (column) VALUES ('" . $safeData . "')");
//If you using PHP >5.5 Use MYSQL as mysql_real_escape_string is deprecated in PHP5.5

Use MySQLI (New version of MySQL)

$mysqli = new mysqli("server", "username", "password", "database_name");
$unsafeData = $_POST["user-input"];
$stmt = $mysqli->prepare("INSERT INTO table (column) VALUES (?)");
$stmt->bind_param("s", $unsafeData;
$stmt->execute();
$stmt->close();
$mysqli->close();

Use PDO to connect database

$stmt = $pdo->prepare('SELECT * FROM users WHERE name = :name');
$unsafeData = $_POST["user-input"];
$stmt->execute(array('name' => $unsafeData));

Following are SQL Vulnerable string

123' or '1  
123' or '1#
123' or 1 union select 1,database(), version()#
123' or 1 union select id, password,email from users#
123' or 1 union select id, password,email from users into outfile '/store-in-db.txt'#

Best Related Posts are Following:

1. AES Encryption and Decryption in PHP See example.
2. XMLRPC Wordpress Attack.
3. How can I read request-headers in PHP.
4. How can I prevent SQL-injection in PHP?.
5. Shared Server Security Risk open_basedir disable_functions disable_classes.
6. What is Best method for sanitizing user input with PHP?.
7. Difference between Notice and warning and fatal error.
8. How can I prevent SQL-injection in PHP [SOLVED].
9. PHP Register Globals.
10. PHP Sessions and Cookie and Security.
11. PHP Check Mime Type of File - Return Information About A File.
12. Improve Ajax Performance.
13. PHP Captcha Code Example Code Snippets.
14. PHP - Secure Ajax Call from Hackers - Example.
15. htaccess code snippets example.
16. Manage Cron Job with PHP - SSH2 Connection.
17. Spoofed Forms - Stop Spoofed Form Submissions.
18. Session Fixation.
19. Session Hijacking.
20. openssl private encrypt.
21. Cross Site Request Forgery.
22. SQL Injection Attack - PHP & MySQL.
23. Cross-Site Scripting - cross site scripting examples.
24. PHP INI settings.

PHP Basic questions and answers for fresher and experienced

Question: How JSON.parse Works? Give few examples?
JSON.parse is method which is used parses a string as JSON. How to parse the string as JSON

JSON.parse('{}');              // {}
JSON.parse('null');            // null
JSON.parse('true');            // true
JSON.parse('"string"');           // "string"
JSON.parse('[1, 5, "false"]'); // [1, 5, "false"]

Question: How to get the Data of any Public URL(HTML Contents)? Get the data of public URL is known as scrapping. You can use following method to get the data of public URL

1. use file_get_contents function
2. use CURL

Question: What is use of nl2br?
nl2br is used to insert the line break.


Question: What is .htaccess?
htaccess is configuration file for Apache Server which helps us to configure at base level configuration as well as directory level.


Question: How to get the URL of Referrer page?

echo $_SERVER['HTTP_REFERER'];

Question: How to extract seconds, minutes and hour from date?

$dateTime = strtotime("2015-06-30 12:25:60");
echo date('s',$dateTime); //seconds
echo date('i',$dateTime); //Minutes
echo date('h',$dateTime); //hour in 0-12 format
echo date('H',$dateTime); //hour in 0-24 format

Question: How to get current date and time?

echo date('Y-m-d H:i:s');

Question: How to change the timezone using PHP?

echo date_default_timezone_get(); //Default time zone

date_default_timezone_set('America/Los_Angeles'); //Chnage timezone to Los_Angeles

Question: Difference between unset and unlink?
unset is used to remove the variable from scope.
unlink is used to remove the file from server.


Question: How to increase max execution time?
Following are different ways to increase the execution time?
Change dynamically with PHPv

ini_set('max_execution_time', 300);

With htaccess

php_value max_execution_time 300

Change in php.ini (NEED server restart)

max_execution_time = 120

Question: How to check a variable have number OR String value?

$testvariable ='10';
if(is_number($testvariable)){
    echo "This is Number";
}else{
    echo "This is string";
}

Question: What is PEAR in php?
Full form of PEAR is PHP Extension and Application Repository. It is a framework and repository for reusable PHP components.


Question: What is MIME?
Full form of MIME is Multi-purpose Internet Mail Extensions.
It is standard way to get the file type of an file.


Question: Can we change the value of constant variable?
No, we can't do this.


Question: How do we destroy a session?

session_destroy();

Question: What is a PDO classes?
PDO is an PHP extension which provides an interface to connect the database like mysql, mysqli, SQL etc.


Question: What is full form of Ajax? What is Ajax?
Full form of AJAX is Asynchronous JavaScript and XML.
Ajax is technique which is used to update the website contents without refreshing the page. Ajax get the contents from server.


Question: How to set and destroy the cookie?

setcookie("cookieName", "cookie value", time()+3600);  //Set the cookie
setcookie("cookieName", "cookie value", time()-3600);  //distroy the cookie

Question: Does PHP support multiple inheritances in PHP?
No, PHP Support only single level of inheritance.


Question: Can we achieve multiple inheritance in PHP?
PHP Does not support multiple inheritance but we can achieve multilevel inheritance in directly.
See Example below:

class a{}
class b extends a{}
class c extends b{}
class d extends c{}
class e extends d{}
class f extends e{}

As PHP Does not support multi level inheritance but we can extend mulitple classes one by one (As in Above).

Best Related Posts are Following

1. PHP Mysql Interview Questions and Answers for fresher and experienced.
2. PHP interview questions and answers for 5 year experienced.
3. PHP Frequently asked Questions and Answer 2015.
4. PHP problem solving interview questions and answers for Fresher and Experienced.
5. PHP Interview Questions and Answers for 2 year Experience.