Prevent SQL injection attacks

from the Artful MySQL Tips List

[Originally published in MySQL Ezine May 2007]

ABSTRACT: In a SQL injection, attackers try to corrupt your data by "injecting" destructive SQL into a statement your application has prepared for execution against your database. Learn simple ways to prevent this.

SQL injection is a method for attacking databases. The attacker "injects" elements into your program's SQL in order to bypass authorization or damage the database.

Web sites that send SQL commands to databases are particularly vulnerable to SQL injection, because they often rely on dynamic SQL, and because it can be easy to mount millions of such attacks until one succeeds. Here is a simple example. A PHP page asks the user for a name and a password, then sends this to the database...

    SELECT * FROM mysql.user WHERE user = '$usr' AND password = '$pwd'; 

Is it as innocuous as it looks? Suppose a user enters something like this as a user name...

    ' OR 1>0; -- 

When your application plugs that entry into your SQL, the command becomes...

    SELECT * FROM mysql.user WHERE user = '' OR 1>0; -- AND password = '' 

Your intruder just retrieved all rows and columns of the mysql.user table. Not exactly what you had in mind.

Or a malevolent user might supply this username...

    OR 1>0; TRUNCATE customers; --  

whereupon your application sends this command to the database...

    SELECT * FROM mysql.user WHERE user = '' OR 1>0; TRUNCATE customers; -- ' AND password = ''

If your application's connection supports multiple SQL commands in a single query call, all your customer data just went away.


The simplest way to prevent this sort of injection is to search the SQL string for semi-colons and double dashes, and remove them before passing the statement to the database. That's easy in an adequate application language, for example in PHP...

    $protectedqry = str_replace( "--", "", str_replace( ";", "", $qry ));

If $qry has offending characters, sending $protectedqry to the database raises a MySQL error. That provides one level of protection.

Better still, search the string for double dashes and semi-colons, and if either is found then refuse to send the query to the database. If you want to be really thoroughgoing, you could blacklist the IP address that launched the attack.

Now you are fully protected against attacks that use double dashes and semi-colons. Have you covered all possible attacks? Not a chance, human ingenuity having no practical limit. For example, a favorite trick we haven't touched on is introduction of malevolent WHERE clauses.


The attacker has to succeed just once. If your database is to be safe, you must succeed every time. You are on better logical ground enforcing a simple positive validation pattern than looking for a limitless number of dangerous or invalid patterns. Positive input filters improve your chances of success enormously. For example, you could decide to accept only alphanumeric characters in user names and passwords. It is easy to enforce that rule in any adequate app language. In PHP, for example, you can write ...

    if( ereg( '[^A-Za-z0-9]+', $usr.$pwd )) {
       echo "Alphabetic and numeric characters only, please.";

You can formulate more stringent tests based on specific input requirements.


Application languages provide generic tools for cleaning up submissions to your database. In PHP use mysql_real_escape_string() ...

    $qry = mysql_real_escape_string( $qry, $connection_resource );

but that is not enough. For example if a user can specify the last parameter of a dynamic query as something like 1 select user,password from mysql.user, passing user input through mysql_real_escape_string() will not protect against many injections. You need positive output filters, in this case, if an integer value is required from the user, passing the value to intval() will filter out trailing injection code.


Enterprise RDBMS policies usually require that all such protective logic be encapsulated in stored procedures. Stored procedures offer no anti-SQL-injection magic—within them, just apply the above principles.

One kind of encapsulation, the prepared statement, does have protective value because it organises input and output filters, for example in PHP ...

  $pdo = new PDO($dsn);
  $column = 'url';
  $value = '';
  $limit = 1;
  $validColumns = array('url', 'last_fetched');
  $statement = $pdo->prepare( 'SELECT url FROM urltable ' .
                              'WHERE ' . $column . '=? ' .
                              'LIMIT ' . intval($limit)


To stop SQL injection attacks in their tracks, apply simple positive and negative input filters, and escape possibly problematic characters in what you send to the database.

Return to the Artful MySQL Tips page