I have an application and I have complex requests tot the server. There are a lot of database operations. Managing them can become very hard some times. In this situation how can I prevent sql injection attacks to my application.

Use Prepared Statements

Prepared statements are the way to bind client-side provided values with database queries. Prepared Data Object (PDO) acts middle proxy and prevents SQL injections. PDO is supported all database drivers so there is no problem about database driver.

$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name'); $stmt->execute(array('name' => $name)); foreach ($stmt as $row) { // do something with $row }

Correctly Setup Database Connection

Using default settings generally provides problems or security issues. So creating a database connection by explicitly specifying parameters is the best way sql injection type attack.

$dbConnection = new PDO('mysql:dbname=dbtest;host=127.0.0.1;charset=utf8', 'user', 'pass'); $dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); $dbConnection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

Use WAF

After deployment of php web application it will be reached from internet. Most of the attackers resides internet so preventing them or at least detecting them will be valuable. Web Application Firewall is like a Network Firewall but works in layer 7 in OSI reference model. Simple WAF will inspect http/s traffic and try to find block attack requests.

Make Penetration Test For Application

Penetration tests are simulation of the attacks and attackers. White hat hackers will give this service to attack the php application like a Black Hat Hacker and give some hints about php application vulnerabilities.

Make Static Code Analyze

Code Analyze is the act of using Code Analyzing tools to find security related code parts in the application code. Static Code Analyze gives a lot of issues but some of them are false positive so the Static Code Analyze report should be filtered by a security professional to make thing better and clearer.

How To Prevent SQL Injection in Php Applications? Infografic