DEV Community

Cover image for Understanding SQL Injection and Prevention using Parameter Binding in PHP
Aritra Mukherjee
Aritra Mukherjee

Posted on • Originally published at on

Understanding SQL Injection and Prevention using Parameter Binding in PHP

Happy Diwali πŸŽ† folks! When I learnt PHP for the first time, I wasn't really aware of the good practices regarding web security in PHP. Over the years, fuelled by my inquisitiveness and will for perfection, I put the effort in hours of research to figure out how exactly we can safely interact with the database in PHP.

If you try to do so yourself, you will realise that the experience of traversing the PHP documentation is not that convenient and there exist multiple ways of doing the same thing which is frankly very confusing to beginners. πŸ™„

Therefore, in this article, I decided to compile what I learnt and show you two ways of preventing most SQL Injection attacks in PHP (MySQLi and PDO) in a comparative fashion and explain their usage step by step. πŸŽ‰

This is what I am going to cover:

  • SQL Injection
    • Short explanation
    • A simple example
  • Preventing SQL Injection
    • Using Parameter Binding in MySQLi
    • Using Parameter Binding in PDO
  • MySQLi vs PDO

In my next article, I am going to dive deep into Parameter Binding with real-life examples.

Continue reading "Preventing SQL Injection with PHP using Parameter Binding"

The post Preventing SQL Injection with PHP using Parameter Binding appeared first on GeekyMinds.

Top comments (3)

mukherjee96 profile image
Aritra Mukherjee • Edited

You're correct. Achieving perfection in terms of web security is a utopian dream. We can spend time and seal off each entry one by one by escaping them manually, but imagine the time that would take for large projects. I think we should rather use frameworks than write core PHP. Popular frameworks like Laravel and Django (Python) will have teams updating the framework's ORM layer to make sure it can handle the latest threats.