Solution: Trust No One

There is no universal remedy against SQL Injection. Let's learn how we can use different techniques for different scenarios.

We'll cover the following

There is no single technique for securing our SQL code. A good approach is to learn all of the following techniques and use them in appropriate cases.

Filter input

Instead of wondering whether some input contains harmful content, we should strip away any characters that aren’t valid for that input. That is, if we need an integer, we should use only the part of the content that comprises an integer. The best way to do this depends on our programming language; for example, in PHP, we should use the filter extension:

<?php 
$bugid = filter_input(INPUT_GET, "bugid", FILTER_SANITIZE_NUMBER_INT);
$sql = "SELECT * FROM Bugs WHERE bug_id = {$bugid}";
$stmt = $pdo->query($sql);
?>

We can use type casting functions for simple cases like numbers:

<?php
$bugid = intval($_GET["bugid"]);
$sql = "SELECT * FROM Bugs WHERE bug_id = {$bugid}";
$stmt = $pdo->query($sql);
?>

Get hands-on with 1200+ tech skills courses.