Reputation: 13340
What is the best solution for SQL injection security on MySQL?
What is the best function to run my strings through to ensure that MySQL injection is impossible?
Also, will it require running it through another function on the way out to make it display correctly?
See also
Are Parameters really enough to prevent Sql injections?
C# Parameterized Query MySQL withinclause
Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes?
Upvotes: 0
Views: 1900
Answers (5)
Reputation: 11
In PHP the best way is to use HTML escaping on strings.
It turns special characters into HTML compliant characters.
Example: " " (space) transforms into "%20".
Upvotes: -1
Reputation: 1677
Add to parameterized queries the use of input validation within the application. Never trust that the input is clean. Check it. For instance, if it's supposed to be an integer, check to make sure it converts to a numeric value without issue.
Upvotes: 0
Reputation: 340045
As Chad says, always use parameterized queries to avoid SQL injection.
To answer the second half of your question, if your output is to a web page then always escape any special HTML characters (&, <, >) to protect against script injection.
Upvotes: 0
Reputation: 116528
A parameter function.
Humor aside, I mean don't dynamically execute user-entered content as SQL if you can at all avoid it. Pass everything as parameters, and reference them from your query instead. See Chad Birch's answer for a good link explaining this.
Upvotes: 1
Related Questions
- How can I prevent SQL injection in PHP?
- Preventing SQL Injection in PHP without parameterized queries?
- securing mysql database query against sql injections
- MySQL Injection prevention
- PHP mysql injection protection
- how to protect from sql injection when using php?id=
- efficient and secure queries idea - mysql
- smart solution of SQL injection
- SQL Injection Protection
- what is the best way to prevent sql injection in mysql