Talk:Programming:PHP/SQL Injection

From Wikibooks, the open-content textbooks collection

Hehe, I learned something here... time to go overhaul my forum ;^) --Spoom 14:10, 6 Oct 2004 (UTC)

IMO the first solution provided is bad practice as it skips proper validation of user input. Besides
- it my cause nonsensical database queries, which isn't fatal, but unwanted
- it is overly complicated

Using magic quotes is bad practice too, see: http://www.php.net/manual/en/security.variables.php
--Marek 25.01.2005

There needs to be an additional section on PHP 5's mysqli library and using positional parameters. Example (where $db is a connnection):

$name = "Joe";
$age = 5;
$stmt = $db->prepare("INSERT INTO customers (name, age) VALUES (?, ?)");
$stmt->bind_param("si", $name, $age);
$stmt->mysqli_stmt_execute();

The above will properly escape $name and $age, and will also perform better in some cases when inserting multiple rows when the same prepared statement can be reused. Wesley 13:00, 28 April 2006 (UTC)

Please note that the SQL syntax for DELETE statement is wrong in the given example:

 SELECT * FROM `users` WHERE username = '\';DELETE * FROM `forum` WHERE title != \

The correct form is as shown below:

 SELECT * FROM `users` WHERE username = '\';DELETE FROM `forum` WHERE title != \

Also when we try to execute the above statement from within a mySQL client it will be executed successfully. (author of the above post unknown)

Thanks - I'll update the article. The MySQL client has always allowed query stacking, but I've tried to do it in PHP and it failed. The SQL parser in one of my PHP apps actually kills the connection if it detects a stacked query. --Dandaman32 14:31, 10 March 2007 (UTC)