PHP Database Security

Whenever you allow your users to insert data, you are running risks of some sort: malicious code can be injected in your website to retrieve sensitive data or even damage it.

Generally speaking, forms are weak points of your applications: you want to make sure that whatever comes from a form undergoes a security routine (sanitation) that prevents any harm to your database.

A basic sanitation will escape dangerous characters like html code and quotations among others.

Sanitation has to take place BEFORE you store user's data in your database.

Here a list of useful functions you can use to sanitise data:

PLEASE NOTE: mysqli_real_escape_string() will only work if you are already connected to your database, as it will ask $dbc as a first parameter.


Here a simple example about how to prevent mysql injections, using data sanitising functions:

<!--an html form sample with one single input field-->

<form action="#" method="post">     <p>         fullname: <input type="text" name="fullname" value=""/>     </p>
    <p>         <input type="submit" value="send" name="submit"/>       </p> </form>

a very simple php sanitation example:

<?php #formSanitation.php
$dbc = mysqli_connect("localhost","root","root");

if( isset($_POST['submit']) ){
//storing form data into a variable
$dangerous_data = $_POST['fullname'];

//sanitising form data
$safe_data = mysqli_real_escape_string($dbc, $dangerous_data);

//you can now store sanitised data into your DB
$q = "INSERT INTO `yourDB`.`yourTable` (`fullname`) VALUES ('$safe_data') ";

//[...] and so on...
}//end if submit

To achieve a higher level of security, you may want to read about prepared statements or PHP Data Objects (PDO