18.5.1. ProblemYou need to eliminate SQL injection vulnerabilities in your PHP applications. 18.5.2. SolutionUse a database library such as PDO that performs the proper escaping for your database: <?php $db = new PDO('mysql:host=localhost;dbname=users', $_SERVER['DB_USER'], $_SERVER['DB_PASSWORD']); $statement = $db->prepare("INSERT INTO users (username, password) VALUES (:username, :password)"); $statement->bindParam(':username', $clean['username']); $statement->bindParam(':password', $clean['password']); $statement->execute(); $db = NULL; ?> 18.5.3. DiscussionUsing bound parameters ensures your data never enters a context where it is considered to be anything except raw data, so no value can possibly modify the format of the SQL query. If you do not have access to PDO, you can use a database library written in PHP, such as PEAR::DB, that offers a similar feature: <?php $st = $db->query('INSERT INTO users (username, password) VALUES (?, ?)', array($clean['username'], $clean['password'])); ?> Although this method still intermingles your data with the SQL query, PEAR::DB ensures that the data is quoted and escaped properly, so there is no practical risk of SQL injection. 18.5.4. See AlsoChapter 10 for more information about PDO, particularly Recipes Recipe 10.6 and Recipe 10.7; documentation on PDO at http://www.php.net/pdo; on PEAR::DB at http://pear.php.net/manual/en/package.database.db.php. |