SQL Injection protection

dugindog

I am wondering if anyone has any functions they use for cleaning post/get/request to limit / prevent sql injections. I realize I can google and find many out there, but I would like to know if anyone has any tried and true versions.

bradgrafelman

Easiest way is to use prepared statements and let the SQL driver take care of the data sanitization for you.

NogDog

Also note that you (generally) do not want to simply "sanitize" get/post/cookie data, as you will often be using it for things other than DB query values. Therefore, you (normally) only want to sanitize it for SQL as/when you are actually using it as such. As Brad points out, using prepared statements and bound parameters (as is available with the MySQLi or PDO extensions), that takes care of things pretty painlessly for you. Otherwise you should be looking for the escaping function specific to the DBMS being used (such as the mysql_real_escape_string() function in the older MySQL extension).

Prepared statement (PDO):

$sql = "INSERT INTO the_table (col1, col2) VALUES(:val1, :val2)";
$stmt = $pdo->prepare($sql);
$stmt->bindParam(':val1', $_POST['val1'], PDO::PARAM_INT);
$stmt->bindParam(':val2', $_POST['val2'], PDO::PARAM_STR);
$stmt->execute();

The old way (MySQL):

$sql = sprintf(
    "INSERT INTO the_table (col1, col2) VALUES(%d, '%s')",
    (int) $_POST['val1'], // cast to integer
    mysql_real_escape_string($_POST['val2']) // escape a string
);
$result = mysql_query($sql);