How to Prevent SQL Injection Attacks in PHP: Practical Tips and Code Examples

What Is SQL Injection?

SQL injection occurs when an attacker inserts malicious SQL commands into web form inputs, URL query strings, or other user‑controlled data, tricking the server into executing unintended queries.

Vulnerable Example in PHP

$name = "Qadir'; DELETE FROM users;";
mysql_query("SELECT * FROM users WHERE name='{$name}'");

Because the variable $name is concatenated directly into the query without any filtering, the injected DELETE statement would remove all rows from the users table.

Database‑Specific Considerations

While MySQL’s mysql_query() does not allow multiple statements per call, databases such as SQLite and PostgreSQL do, making strict input validation essential across all platforms.

Key Prevention Measures

Never trust user input. Validate using regular expressions, enforce length limits, and escape single and double quotes.

Avoid dynamic SQL concatenation. Use prepared statements or stored procedures for all database interactions.

Do not use privileged database accounts. Assign each application a dedicated account with the minimum required permissions.

Store sensitive data securely. Encrypt or hash passwords and other confidential information.

Limit error information. Return generic error messages and wrap detailed database errors in custom responses.

Employ detection tools. Use security scanners such as jsky, MDCSOFT SCAN, or MDCSOFT‑IPS to identify injection vulnerabilities.

Handling LIKE‑Clause Injection

When user input contains the wildcard characters _ or %, a LIKE query may return unintended results. In PHP, the addcslashes() function can escape these characters.

$escaped = addcslashes($userInput, "_%");
$sql = "SELECT * FROM table WHERE column LIKE '{$escaped}'";

addcslashes() adds backslashes before specified characters. Its signature is addcslashes(string, characters), where string is the input to process and characters defines which characters to escape.