How to prevent SQL injection in PHP?

December 17, 2020

While development of this website, I was concerned about how to prevent SQL injection in my PHP website. Off-courses, I already acquire enough knowledge to understand the injection types which I tested with my website. I added examples in this tutorial as well but let’s started our how to prevent SQL injection in PHP website.

What is SQL Injection?

There can be best definitions available over the internet but what I conclude key points to understand SQL injection. Here are these key points;

SQL injection is an act of inserting some malicious code to create SQL query which helps in hacking techniques.
SQL injection is a code injection technique which may destroy data in database, a database table or database itself.
SQL injection more common and known web hacking technique because it uses website forms and URL for its hacking activities.

With above bullet points, we can further segregate and add more information to our article in headings.

SQL Injection in Web Pages

SQL Injection happens on your website when you ask your website user for input of user name information and then process the username, user pass, user id or name and id in SQL statement on your database without verification or validation in a programmer code of language. Let’s start the drill with Injection Types.

1=1 is Always True – SQL Injection

We know that mathematically 1=1 is always true and if we create a SQL statement which does not validate username and password information then below statement will always be true and the hacker who used SQL injection will get some data from Users Table. Here is the example statement which will be created;

SELECT * FROM Users WHERE UserId = 1 OR 1=1;