I heard that sql injections are causing to our databases by spammers...
Can anyone please tel me how it is possible ?
And very importantly how to escape from sql injections...

I expect more answers from you...And Thanks for those ....

Hi Shanti,

SQL injections are done using the inputs that user provides.

Like if there is a login page and it has two input boxes userid and password.

and if you have written a sql statement as follows

select * from tbllogin where username = '$_POST["userid"]' and password = '$_POST["pwd"]'

suppose I give input as "vicky" for username and for password, I give

1' or '1'='1

then the statement will look like

select * from tbllogin where username = 'vicky' and password = '1' or '1'='1'

as you can see from here now this statement will return record in any case, so user will always be able to login to the system.

I think this will give you a starting point to understand the problem.


The best way to prevent SQL injection is using stored procedures with parameters.

Can u explain with details...vicky..please,,,

Hello all...
Any other information about this thread...
please post it...

SQL injection is a class of security problems in web applications caused by executing sql queries containing user-supplied text e.g. entered on an html form. An attacker can provide text that will do unexpected, possibly harmful, things.

Unfortunately the easiest way to write SQL queries in PHP is also the dangerous way:

mysql_query("UPDATE users SET age='$age' WHERE id = '$id'");

If the string $id is "foo' OR 'x'='x", the resulting query will be:

mysql_query("UPDATE users SET age=$age WHERE id = 'foo' OR 'x'='x'");

This will update age of every user, clearly not a good thing.

A safer way of doing this is:

if (get_magic_quotes_gpc()) {
$age = stripslashes($age);
mysql_query("UPDATE users SET age='".mysql_real_quote_string($age)."' WHERE id = '".mysql_real_quote_string($id)."'");

Thanks praveen...
Good Information...
Any other info, post again...

hi Shanti,

As we know that stored procedures can be called in two ways:

1. stored procedure name and then list of the values that needs to be passed.
2. create parameters and then execute stored procedure with the parameters.

the 2nd one is best way to prevent SQL injection, as the values will not be passed directly in sql query.

so now 1' or '1'='1 will not be passed as itis within single quotes but passed as values of variables. so the query will try to check for 1' or '1'='1 in the respective column.

It will get clear from the following example.

CREATE PROCEDURE SP_ProductSearch @prodname varchar(400) = NULL AS
DECLARE @sql nvarchar(4000)
SELECT @sql = ' SELET ProductID, ProductName, Category, Price ' +
              ' FROM Product Where '
IF @prodname IS NOT NULL
  SELECT @sql = @sql + ' ProductName LIKE @prodname'
EXEC sp_executesql @sql, N'@prodname varchar(400)',@prodname