PHP Database Security

Whenever you allow your users to insert data, you are running risks of some sort: malicious code can be injected in your website to retrieve sensitive data or even damage it.

Generally speaking, forms are weak points of your applications: you want to make sure that whatever comes from a form undergoes a security routine (sanitation) that prevents any harm to your database.

A basic sanitation will escape dangerous characters like html code and quotations among others.

Sanitation has to take place BEFORE you store user’s data in your database.

Here a list of useful functions you can use to sanitise data:

PLEASE NOTE: mysqli_real_escape_string() will only work if you are already connected to your database, as it will ask $dbc as a first parameter.


Here a simple example about how to prevent mysql injections, using data sanitising functions:

A very simple php sanitation example:

To achieve a higher level of security, you may want to read about prepared statements or PHP Data Objects (PDO)