go top


  • Colection of 65 PHP scripts for $4.29 each

Get 65 PHP scripts in a bundle for $4.29 each!

View Offer

How to prevent SQL injection with PHP

Tuesday, 12th July, 2016  /  PHP Tutorials  / MySQL Tutorials  /  5 Comments
SQL injection is a technique, used to attack data-driven applications. Using this method, hackers will try to execute their SQL statements within your application and access your database data.

Here is an example SQL injection. Let's consider you have a login form with two fields - email (text field) and password (password field). Upon login, you will build and execute a similar query:

"SELECT * FROM `users` WHERE `email` = '".$_POST["email"]."' AND `password` = '".$_POST["password"]."'";

You can see that the query is searching for a user in `users`table, which matches the email and password posted via the login form. However, since both email and password are not properly handled, an attacker can modify the query. Assume that they enter:

Email: myemail@domain.com
Password: mypassword

The constructed query will be:

SELECT * FROM `users` WHERE `email` = 'myemail@domain.com' AND `password` = 'mypassword';

Which seems to be correct. However, if the attacker uses:

Email: myemail@domain.com
Password: mypassword'; DROP TABLE 'users

the query will become:

SELECT * FROM `users` WHERE `email` = 'myemail@domain.com' AND `password` = 'mypassword'; DROP TABLE 'users';

And of course, you do not want people to execute such queries over your database.

To protect your PHP application from being abused via such SQL injections, you should correctly set all SQL queries that are being run. With older versions of PHP (>= 4.3.0, 5) you would do that with mysql_real_escape_string(). So above query would look like this:

"SELECT * FROM `users` WHERE `email` = '".mysql_real_escape_string($_POST["email"])."' AND `password` = '".mysql_real_escape_string($_POST["password"])."'";

This is how the SQL injection protected query looks like now:

SELECT * FROM `users` WHERE `email` = 'myemail@domain.com' AND `password` = 'mypassword\'; DROP TABLE \'users'
You can see that the data being passed via $_POST is now escaped and DROP TABLE query will not be executed separately, but will be considered as a part of the password string.

With the latest versions of PHP you can now use PDO and prepared queries. Here is an example:

$stmt = $conn->prepare("SELECT * FROM `users` WHERE `email`=:email AND `password` = :password");
$stmt->bindValue(':email', $_POST["email"]);
$stmt->bindValue(':password', $_POST["password"]);

The key function here is prepare(). It secures the SQL query and protects it from SQL injections.

There are other ways to verify that data passed via SQL queries is valid and not abused. For example, if you expect an integer to be passed, you may use intval() to convert the inputted data into an integer.

"SELECT * FROM `users` WHERE `age` = '".intval($_POST["age"])."'";

Or if you expect an email address, you can use email validation to guarantee that $_POST["email"] is a valid email address. Take a look at our PHP Validation And Verification tutorial for different string validations.

SQL injection is one of the top website vulnerabilities, so you should be very careful when using user inputted data to construct SQL queries.
Share on:

5 Comments to "How to prevent SQL injection with PHP"


john"><b>hi</b>' / July 31, 2021 at 18:56 pm

echo '123';

Mubarrak Mohammad Jibo

Mubarrak Mohammad Jibo / March 28, 2020 at 13:32 pm

This is awesome i like it


slovapet / August 5, 2019 at 15:16 pm

It is english language possible to write? Sorry for my proor eng


Olu / June 4, 2019 at 19:57 pm

Thanks. Good tutorial


Mubarak / December 26, 2018 at 21:27 pm

Wow, i find this interesting.

Add your comment


    Please, be polite and helpful and do not spam or offend others! We promise you will be treated the same way!

    Log in to your account to post your comments. If you still haven't joined our community yet, you can create your FREE account now!

    Posting tip:
    If you use code in your comments, please put it in these tags [php], [sql], [css], [js] PHP code example: [php] echo date("Y-m-d"); [/php]

    Thank you,
    PHPJabbers Team

    Free Scripts

    Add great new functionalities to your website with our Free Scripts collection.

    Free scripts

    PHP Scripts

    Check our extensive collection of top-notch PHP Scripts that will enhance your website!

    Commercial PHP scripts