prevent sql injection
Web Development

Prevent SQL Injection

How to Prevent SQL Injection Attacks?

In order to prevent sql injection you have to know the impact of Sql Injection attack which is one of the most dangerous attacks on the web the attacker can hijack your whole data or even more worse scenario the whole web server is taken from one sql injection vulnerability

I wrote this article to show how to prevent sql injection not to discuss sql injection and its types and all other stuff that you might know it with a simple search on google if you need

i want to share the best solution to prevent sql injection totally for sure and the solution if very easy

The solution is to clean the request parameters coming from the user 

keep in mind that the solution i share with you is not like the one you will find on the web that goes to every sql statement and clean data one by one no, this solution is preventing sql injection without messing with your cms files or project

well,, may be someone who is using php will say that is easy it is just using a function like mysql_real_escape_string  PHP function or mysqli_real_escape_string based on the extension you use Mysql or Mysqli

but that work only on single dimensional array, what about multi dimensional array ?

Well we need to iterate over all children recursively

So what we will do is prevent sql injection against multidimensional array  

Solution

This code does the magic for single and multidimensional array using PHP

You can check php function used here to clean the request array array_walk_recursive

Just put this code on the top of your site or header file right after connection to database may be your file will be up.php or header.php or something like that

Because if you use that before connection it will show an error because you are using mysql_real_escape_string function which needs a sql connection

if you are using PHP 7 mysql extension if removed so you will replace the fuction mysql_real_escape_string with mysqli_real_escape_string

one last thing I have to mention regarding your code you should keep your sql parameters on all of your pages between quotes like this

mysql_query("select * from users where email='$email'  order by id");

Without quoting your input like above sql injection prevention won’t work