what is the best way to prevent sql injection in mysql

Question

Hi all,

i don't know much about sql injection.

I want to know that what is the best way to prevent the sql injection in mysql?

Like how should i insert data in the database, How should i fetch them from DB, how to execute search query, update query in mysql.

Upto here i know that addslashes is used to prevent the sql injection in mysql using php.

when its creating the problem when searching the data from database. the problem i have described here. http://stackoverflow.com/questions/2100622/search-problem-in-mysql-query

could you please let me know how to prevent this. I have heard about the mysql_real_escape_string but don't know how to use this.

Thanks

Avinash

Answer 1

Typically the best way is to rely on the library of the language you're writing in. Every good library has a way to write canned parameterized SQL statements, so just Google "$(language_name) parameterized SQL" and you'll be good to go.

Answer 2

Travis is completely right. You need to leverage the programming language to prevent SQL injections. For example, in Java use PreparedStatements to execute SQL queries. Parameters can be specified into Prepared Statements and these parameters can not be any other sql queries i.e. preventing user to type other sql query into input parameters. In this way SQL injection can be avoided. This is a very basic example and the answer depends upon the programming language you are using.

Answer 3

If you are working with PHP and MySQL than I would suggest usage of PDO for accessing Database.