#Security: #MySQLTips: How to prevent SQL injection in PHP using PDO and MySQLi?

  johnny
  August 7, 2013 8:55pm

SQL injection in PHP is one of the most common vulnerabilities in web applications. So if you are a developer, you need to understand every known techniques of web attacks. In this case you would know how to properly code your Joomla Extensions.

You can prevent SQL injection on your PHP code using PDO and MySQLi. Depending on your PHP framework, there is probablu a defined classes to do this. I will show you the generic syntax to give you an idea.

Using PDO:

$stmt = $pdo->prepare('SELECT * FROM users WHERE name = :name');
$stmt->execute(array(':name' => $name));

foreach ($stmt as $row) {
    // do something with $row
}

Using MySQLi:

$name = $_GET['username'];
$password = $_GET['password'];
 
if ($stmt = $mysqli->prepare("INSERT INTO tbl_users (name, password) VALUES (?, ?)")) {
    // Bind the variables to the parameter as strings. 
    $stmt->bind_param("ss", $name, $password);
    // Execute the statement.
    $stmt->execute();
    // Close the prepared statement.
    $stmt->close();
}
 

1 Reponse

Post Response
1

I think this is one of the issues with open source. A lot of open source developers are new and inexperience to know what's the best way to develop a program.

In the case of SQL injection, I have seen a lot of Joomla extensions with full SQL statement on the SQL query command. And that is how SQL injection is a big problem with CMS like Joomla.

  Ben100 August 12, 2013 1:23am reply (0)