PHP Security and Encryption
Eliminating SQL Injection
Problem
You need to eliminate SQL injection vulnerabilities in your PHP applications.
Solution
Use a database library such as PDO that performs the proper escaping for your database:
$statement = $db->prepare("INSERT
INTO users (username, password)
VALUES (:username, :password)");
$statement->bindParam(':username', $clean['username']);
$statement->bindParam(':password', $clean['password']);
$statement->execute();
Discussion
Using bound parameters ensures your data never enters a context where it is considered to be anything except raw data, so no value can possibly modify the format of the SQL query.
No comments:
Post a Comment