While development of this website, I was concerned about how to prevent SQL injection in my PHP website. Off-courses, I already acquire enough knowledge to understand the injection types which I tested with my website. I added examples in this tutorial as well but let’s started our how to prevent SQL injection in PHP website.
What is SQL Injection?
There can be best definitions available over the internet but what I conclude key points to understand SQL injection. Here are these key points;
- SQL injection is an act of inserting some malicious code to create SQL query which helps in hacking techniques.
- SQL injection is a code injection technique which may destroy data in database, a database table or database itself.
- SQL injection more common and known web hacking technique because it uses website forms and URL for its hacking activities.
With above bullet points, we can further segregate and add more information to our article in headings.
SQL Injection in Web Pages
SQL Injection happens on your website when you ask your website user for input of user name information and then process the username, user pass, user id or name and id in SQL statement on your database without verification or validation in a programmer code of language. Let’s start the drill with Injection Types.
1=1 is Always True – SQL Injection
We know that mathematically 1=1 is always true and if we create a SQL statement which does not validate username and password information then below statement will always be true and the hacker who used SQL injection will get some data from Users Table. Here is the example statement which will be created;
SELECT * FROM Users WHERE UserId = 1 OR 1=1;
How to prevent SQL injection?
Now, if there is no user validation on “wrong” or “falsified” input information, then you need to create validations on different levels to prevent SQL injection on your website. If there is nothing to prevent a user from entering “wrong” input, the user can enter some “smart” input like this. You can read more about SQL Injection on Wikipedia