Prevent Hacking from Malicious SQL Injections by Parameterizing SQL Queries

Malicious SQL Injection is a tactic used by hackers to try to insert “control characters” into queries issued over the Internet in an attempt to gain control over the database and issue commands to it. Using parameterization syntax can prevent hacker injection attacks on valuable web sites or other databases.

To use the parameterized query, you need to use MySQLi rather than the MySQL functions. For example:

Parameterized SQL Query Using MySQLi

The key function that facilitates the parameterization of your SQL statment is mysqli::prepare.

PDO is another option for parameterizing your queries to make them secure. Using PDO, the MySQLi example above can be re-written as:

Parameterized SQL Query Using PDO

A less elegant approach to hack proofing your SQL statements is to use the mysql_real_escape_string function to remove unwanted characters from your input variables:

MySQL Escape String Function