Featured image of Preventing SQL Injection in PHP

How to Prevent SQL Injection in PHP: A Comprehensive Guide

SQL injection is a prevalent security threat that can compromise the integrity and confidentiality of your web application’s data.

PHP, as a popular server-side scripting language, is often used in web development projects. It is crucial to ensure that your PHP applications are fortified against SQL injection attacks.

In this comprehensive guide, we will delve into best practices and techniques to effectively prevent SQL injection in PHP.

What is SQL Injection?

SQL injection is a type of security vulnerability that occurs when an attacker is able to manipulate SQL queries sent to a database by injecting malicious SQL code.

It typically happens when user input is concatenated directly into SQL statements without proper sanitization or validation.

For example, consider the following PHP code snippet:

$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($conn, $query);

In this code, if an attacker enters a malicious input like ' OR '1'='1, the resulting query becomes:

$username = $_POST['username']; // Contain -> ' OR '1'='1
$password = $_POST['password']; // Contain -> ' OR '1'='1

$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
// This query always returns true
$query_becomes = "SELECT * FROM users WHERE username='' OR '1'='1' AND password='' OR '1'='1'";

This query always returns true, effectively bypassing the authentication system and granting unauthorized access.

Why is SQL Injection Dangerous?

SQL injection is a severe threat because it can lead to various security risks:

  1. Data Breaches: Attackers can access, modify, or delete sensitive data stored in your database, potentially exposing user credentials, personal information, or financial records.
  2. Unauthorized Access: By injecting malicious SQL code, attackers can gain unauthorized access to restricted areas of your application or even administrative privileges.
  3. Data Loss: SQL injection can lead to data loss if attackers modify or delete critical data from your database.
  4. Application Vulnerability: An application susceptible to SQL injection is often seen as insecure, which can damage your reputation and erode user trust.

How to Prevent SQL Injection in PHP

Preventing SQL injection requires a combination of best practices and techniques to ensure that user input is properly sanitized and validated before being included in SQL queries.

Now that we understand the risks associated with SQL injection, let’s explore effective prevention techniques for PHP applications.

1. Use Prepared Statements and Parameterized Queries

Prepared statements, also known as parameterized queries, are the most effective way to prevent SQL injection.

PHP provides PDO (PHP Data Objects) and MySQLi extensions that support prepared statements.

Prepared statements separate SQL code from user input, making it extremely difficult for attackers to inject malicious code.

Example using PDO (PHP Data Objects):

// Create a PDO connection
$pdo = new PDO("mysql:host=localhost;dbname=mydatabase", "username", "password");

// Prepare a SQL statement with placeholders
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");

// Bind user inputs to placeholders
$stmt->bindParam(":username", $input_username);

// Execute the statement

Parameterized Queries (MySQLi):

If you prefer using MySQLi, parameterized queries offer a similar level of protection:

// Create a MySQLi connection
$mysqli = new mysqli("localhost", "username", "password", "mydatabase");

// Prepare a SQL statement with placeholders
$sql = "SELECT * FROM users WHERE username = ?";

// Prepare the statement
$stmt = $mysqli->prepare($sql);

// Bind parameters and execute
$stmt->bind_param("s", $input_username);

PHP introduced the mysqli execute_query() method in version 8.2 which is a shortcut for mysqli::prepare(), mysqli_stmt::bind_param(), mysqli_stmt::execute(), and mysqli_stmt::get_result(). Here is an example:

// Create a MySQLi connection
$mysqli = new mysqli("localhost", "username", "password", "mydatabase");

// Prepare a SQL statement with placeholders
$sql = "SELECT * FROM users WHERE username = ?";

$result = $mysqli->execute_query($sql, [$input_username]);

With prepared statements, user input is treated as data, not as part of the SQL query, making it impossible for attackers to inject malicious code.

2. Input Validation and Sanitization:

In addition to prepared statements, input validation and sanitization are essential. Validate and sanitize user inputs to ensure they meet expected criteria before using them in SQL queries. Use PHP’s built-in functions like filter_var and htmlspecialchars for this purpose.

// Validate and sanitize user input
$input_username = filter_var($_POST['username'], FILTER_SANITIZE_STRING);

3. Escaping User Input:

When using older PHP MySQL extensions or when you cannot use prepared statements, consider escaping user input using functions like mysql_real_escape_string (deprecated) or mysqli_real_escape_string. However, this method is not as secure as prepared statements.

// Escape user input (not recommended, use prepared statements)
$escaped_username = mysqli_real_escape_string($mysqli, $input_username);

4. Least Privilege Principle:

Ensure that the database user account used by your PHP application has the least privilege necessary. Limit the account’s access rights to only the specific tables and operations required by the application. This minimizes the potential impact of an SQL injection attack.

5. Error Handling:

Implement robust error handling to catch and log any database-related errors. Avoid displaying detailed error messages to users, as they can provide valuable information to attackers.

6. Regular Updates and Security Patches:

Keep your PHP version, database software, and related libraries up to date. Developers frequently release security updates and patches to address known vulnerabilities.


SQL injection is a serious threat to the security of PHP applications. By following best practices, using prepared statements, validating and sanitizing user input, and employing the principle of least privilege, you can significantly reduce the risk of SQL injection attacks. Always prioritize security in your development process to protect your application and its users from potential harm.

Remember, security is an ongoing process. Stay informed about the latest security practices and regularly update your PHP applications to shield them from emerging threats. Your commitment to security will go a long way in safeguarding your web applications and their users’ data.