Click here to Skip to main content
13,554,130 members
Click here to Skip to main content
Add your own
alternative version

Tagged as


10 bookmarked
Posted 19 Oct 2009
Licenced CPOL

Removing SQL Injection on PHP and MySQL Based Architecture

, 19 Oct 2009
Rate this:
Please Sign up or sign in to vote.
A short guide on how to remove SQL Injection, with reusable code


When working with technologies such MySQL, developers should aim to correctly sanitize input, as such systems can be easily exploited. This guide is not thorough and I expect the reader to have prior knowledge of both PHP and MySQL.


Databases store information in tables. In turn, queries are used to obtain, update and insert information, an in such tables for given criteria. Queries are made up of keywords (INSERT, UPDATE, SELECT), table names and other values (PHP variables for example). Together, these values build a string (known as an SQL statement) which is then executed using a function such as mysqli_query(). The problem is, when one wishes to use raw user input (say a username or password) from a form, there is a chance the input may contain SQL statements. In turn, the statements can execute causing unexpected results such as the unauthorised deletion of tables, or the unauthorised insertion of extra records.

What can be done to stop this problem? MySQL injection is an old and recognised exploit. Functions were created to correctly sanitize user input, removing the chances of successful SQL injection. In particular, the function mysql_real_escape_string() should be used along with stripslashes() if magic_quotes_gpc is on.

Using these functions is really simple. The first function adds back slashes to a few special characters (if they exist in the user input) in order to escape them. This function has two parameters: the first is an un-escaped string obtained from the user (usually from a form field) and the second is an optional link identifier. The link identifier may or may not be optional depending on the solution. When you use mysql_connect, the resulting string is used for the second argument in the mysql_real_escape_string() function. On a side note, if you are using mysqli_connect to connect to your database, you may have to use mysql_connect instead.

The second function, stripslashes() is used to remove quotes from a quoted string. The function has a single parameter, the string which is to be sanitized. This function is only required if magic_quotes_gpc is on. This can be found by using the phpinfo() function.

Putting It All Together

Finally, we can build a function to remove SQL injection from raw strings, which can be seen below. Obviously your connection string will differ for your database/server.

function Remove_SQLi($str) 
   $connection_string = mysql_connect('server', 'database_user','user_password');  
       return mysql_real_escape_string(stripslashes($str), $connection_string); 
       return mysql_real_escape_string($str, $connection_string); 

This should stop most attacks, but it still may be susceptible to blind-SQL injection! If you are interested in other exploits, try looking up XSS (cross-site scripting).

Related Reading

This article was taken from my personal website, more articles and my blog can be found there.


  • 19th October, 2009: Initial post


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


About the Author

Other CalvinHartwell.Com
United Kingdom United Kingdom
No Biography provided

You may also be interested in...


Comments and Discussions

GeneralMy vote of 3 Pin
lehuylai6-Jul-11 10:03
memberlehuylai6-Jul-11 10:03 
GeneralMy vote of 2 Pin
Helbrax20-Oct-09 8:47
memberHelbrax20-Oct-09 8:47 
GeneralRe: My vote of 2 Pin
Calvin Hartwell20-Oct-09 9:10
memberCalvin Hartwell20-Oct-09 9:10 
GeneralRe: My vote of 2 Pin
Helbrax10-Nov-09 7:00
memberHelbrax10-Nov-09 7:00 
GeneralParameterized Query Pin
luayessa20-Oct-09 1:22
memberluayessa20-Oct-09 1:22 
GeneralRe: Parameterized Query Pin
CalvinHartwell20-Oct-09 2:13
memberCalvinHartwell20-Oct-09 2:13 
GeneralRe: Parameterized Query Pin
Helbrax20-Oct-09 8:51
memberHelbrax20-Oct-09 8:51 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web02-2016 | 2.8.180515.1 | Last Updated 19 Oct 2009
Article Copyright 2009 by CalvinHartwell
Everything else Copyright © CodeProject, 1999-2018
Layout: fixed | fluid