O'Reilly logo

SQL Antipatterns by Bill Karwin

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Solution: Trust No One

There is no single technique for securing your SQL code. You should learn all of the following techniques and use them in appropriate cases.

Filter Input

Instead of wondering whether some input contains harmful content, you should strip away any characters that aren’t valid for that input. That is, if you need an integer, use only the part of the content that comprises an integer. The best way to do this depends on your programming language; for example, in PHP, use the filter extension:

SQL-Injection/soln/filter.php
 
<?php
 
$bugid = filter_input(INPUT_GET, ​"bugid"​, FILTER_SANITIZE_NUMBER_INT);
 
$sql = ​"SELECT * FROM Bugs WHERE bug_id = ​{$bugid}​"​;
 
$stmt = $pdo->query($sql);

You can use type casting functions for ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required