Defending against SQL Injection Attack in PHP | any version

12 Jan

Internet Security is a very sensitive issue and many websites have vulnerabilities which are easily exploitable. One such vulnerability is SQL Injection, in which the attacker can literally execute any kind of query in your database, even gain administrator privileges and if things are even worse, then he may also gain access to your system and execute any command. No wonder how dangerous this vulnerability is, but it has a very easy fix. I’d like to introduce you with a small function escape(), I’ve written for sanitizing data while querying the database, which will disable SQL Injection attacks in PHP, irrespective of the PHP version you use.

function escape($input)
if (!get_magic_quotes_gpc()) {
$input = addslashes($input);
return $input;


By default the Magic GPC Quotes feature of PHP is turned ON. So it will automatically sanitize any data it receives from $_GET and $_POST by placing slashes before any ‘, ” or \ characters. However, as of PHP 5.0+, this feature is deprecated and hence relying on it is highly discouraged. Instead, use the addslashes() function which does the same thing. So the function I wrote will basically identify whether the Magic GPC feature is turned ON, if it is, then it will simply return the query as it is, else it will call the addslashes() method on the query. So simple !
However, there’s a more “secure” version of it. But this one is not suitable for large-scale systems as it requires an extra-connection to the MySQL server.

function escape($input)
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
return mysql_real_escape_string($input);


You can use the above function as follows :

Find out all the form variables that you receive in your PHP code i.e. all the occurrences of $_GET and $_POST and whenever you use then, use


instead of just $_POST[‘var’]. Similary for $_GET variables also.

For example, suppose you have stored the mysql query like :

$query=”SELECT * FROM `users` WHERE `username`=’$username’ AND `password`=’$password’”;

To secure the above code, use this code instead :

$query=”SELECT * FROM `users` WHERE `username`=’$username’ AND `password`=’$password’”;

or, by writing it in a single line only :

$query=”SELECT * FROM `users` WHERE `username`=’”.escape($username).”‘ AND `password`=’”.escape($password).”‘”;

This simple thing will completely disable any kind of SQL Injection attacks in your website or web-application, irrespective of the PHP version you use. However, beware of other attacks !


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: