How to hide SQL queries from web browsers (PHP)

Question

Hi, I'm new to this forum and have a dilemma with my MySQL/PHP site. Now I've created a function that will pass a SQL query to it and execute it. What I didn't account for was the fact my SQL query being passed to the function is showing up in the "view source" of all browsers; which is BIG security concern because hackers can see the query. Here is a snippet of the function:

// connect to MySQL

$connection = mysql_connect($host,$username,$password) or die("Couldn't connect to MySQL". mysql_error());

// selects the database
$db = @mysql_select_db($db_name,$connection) or die("Couldn't select database"); 

function statement ($query)
{

    global $connection, $db;
    $sql = $query;
    $results = mysql_query($sql, $connection) or die(mysql_error());
    return $results;

}

Here's how its called:

$cat_results = statement("select * from $category");

Is there a way to hide the query passed from the browser using the function I have? If not any recommendations on a better approach to this function?

Really appreciate any thoughts on this!!

Andre

Answer 1

it is not recommended to pass the query string all the way to the browser/client. you should only pass the query outcome to the client.

Answer 2

Unless you disable PHP on your server, or something breaks, your users won't ever see your PHP code.

Answer 3

PHP code should never show up in the html source. When things are working properly it should all be processed by the server and only the results sent to the client. Maybe you've missed a <? or ?> tag somewhere that's preventing it from being seen as php?

Answer 4

First of all PHP isn't viewable by the client, it is always executed by the server. Second of all at no point can the client execute SQL on your server. This is the basis of SQL Injection. If you are building a query with JavaScript and then sending it a php script to be executed then you have a very serious vulnerability on your hands.