SQL Injection is a type of security vulnerability. An attacker inserts malicious SQL code into input fields (like login forms or search boxes) to access, modify, or delete data from your database. The hacker uses SQL injection a lot to hack. So, in this modern competition need to be more upgrade yourself and your own API or website. Below we will share the 5 ideas below, where we make mistakes constantly.
How is SQL Injection Done?
Suppose we create insecure PHP code like:
$sql = "SELECT * FROM users WHERE email = '$_POST[email]'";Now an attacker types this into the email field:
' OR 1=1 --The query becomes:
SELECT * FROM users WHERE email = '' OR 1=1 --'This bypasses authentication and shows all users because 1=1 is always true.
This mistake is almost common among new developers!
Let’s see 5 Effective Tips to Prevent SQL Injection in PHP
1 Use Prepared Statements with PDO or MySQLi
Never directly insert user input into SQL queries.
Example:
$stmt = $pdo->prepare("SELECT * FROM users WHERE email = ?");
$stmt->execute([$email]);2 Sanitize and Validate All Inputs
Make sure inputs are clean and valid. Posting the injection code here will be protected.
Example:
$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);3 Use Whitelisting for Dynamic Values
If you need to allow sorting or filtering via URL, use whitelisting. If something illegal comes, it will ignite.
Example:
$allowed = ['name', 'email'];
$sort = in_array($_GET['sort'], $allowed) ? $_GET['sort'] : 'name';4 Limit Database User Privileges
Use a DB user with only the necessary permissions (e.g., no DROP, no GRANT).
5 Hide Detailed Errors in Production
Never show raw database errors to users in production. Use error logging instead.
Example:
ini_set(‘display_errors’, 0);
error_log($e->getMessage());
