Solution: Trust No One

There is no single technique for securing your SQL code. You should learn all of the following techniques and use them in appropriate cases.

Filter Input

Instead of wondering whether some input contains harmful content, you should strip away any characters that aren’t valid for that input. That is, if you need an integer, use only the part of the content that comprises an integer. The best way to do this depends on your programming language; for example, in PHP, use the filter extension:

SQL-Injection/soln/filter.php
 
<?php
 
$bugid = filter_input(INPUT_GET, ​"bugid"​, FILTER_SANITIZE_NUMBER_INT);
 
$sql = ​"SELECT * FROM Bugs WHERE bug_id = ​{$bugid}​"​;
 
$stmt = $pdo->query($sql);

You can use type casting functions for ...

Get SQL Antipatterns now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.