Skip to content

PHP function against SQL injections

In computer security, an SQL injection is a flaw that is not complicated to implement and which can do a lot of damage. This article quickly presents this type of flaw and offers a PHP function to protect against this type of threat.

SQL injection

Presentation of this type of flaw

SQL injections consist of using data that will modify a basic SQL query for a use other than that initially intended. These flaws are possible when the input data is not protected. For example, imagine an SQL query that allows you to select the identifier of a user from their login and password.

SELECT identifiant
FROM utilisateur
WHERE login = 'nom_utilisateur' AND password = 'XC5AF32';

This request is used to retrieve the user’s identifier if the login and password are correct. If they are not correct, the request returns nothing and the application can therefore tell the user that he must have entered the wrong password.

In this request, the login is entered by the user. However, if this one indicates that his login is “admin ‘-”Then he can connect even without having the correct password. Here’s what the query will look like with such a username:

SELECT identifiant
FROM utilisateur
WHERE login = 'admin' --' AND password = 'faux_password';

The 2 dashes mean that the rest of the request is in comment. From then on, it is possible to connect to the administrator’s account and have access to all the sensitive data of a site or an application.

Prevent this flaw in PHP

To avoid such flaws with the PHP language, it is advisable to clean the input data before using it in SQL queries. It is possible to use PDO to avoid these errors, but when this is not possible you just have to use the functions mysqli_real_escape_string () or mysqli_real_escape_string () (for older versions of PHP). These functions protect the special characters of a character string so that this string can be used in a query.

Below is a PHP function that should be called for all the data to insert in a request.

PHP 5

function sanitize_string($str) {
	if (get_magic_quotes_gpc()) {
		$sanitize = mysqli_real_escape_string(stripslashes($str));	 
	} else {
		$sanitize = mysqli_real_escape_string($str);	
	} 
	return $sanitize;
}

PHP 4 and PHP <5.5

function sanitize_string($str) {
	if (get_magic_quotes_gpc()) {
		$sanitize = mysql_real_escape_string(stripslashes($str));	 
	} else {
		$sanitize = mysql_real_escape_string($str);	
	} 
	return $sanitize;
}

PHP <4.3

For old versions of PHP you should use the PHP function addslashes (). Although this function is not ideal, it is better than nothing.

function sanitize_string($str) {
	$sanitize = addslashes($str);	
	return $sanitize;
}

Benefits of the function

This function is to be used on each $ _GET or $ _POST which will go in an SQL query. In particular, it transforms the single quotation mark into its equivalent in an HTML entity. It is convenient to use such a function because if one day the database system is modified, it is enough just to change the mysqli_real_escapte_string () function inside instead of making modifications in all the rest of the code.