Prepared MySQL statements in PHP (object oriented examples)

I find sad how many online systems are out there unprotected against even the simplest type of attack, SQL injections. This is a guide and a set of examples about the use of prepared MySQL statements in PHP. If you want to see how an SQL injection attack works you can read the previous article An SQL injection attack. There is a similar guide to this but using the regular structured functions from the MysqlI library at Prepared MySQL statements in PHP (structured examples).

Prepared MySQL statements in PHP (structured examples)

I find sad how many online systems are out there unprotected against even the simplest type of attack, SQL injections. This is a guide and a set of examples about the use of prepared MySQL statements in PHP. If you want to see how an SQL injection attack works you can read the previous article An SQL injection attack. There is a similar guide to this but using the object oriented interface of MysqlI in the examples at Prepared MySQL statements in PHP (object oriented examples).

An SQL injection attack

Since I wrote two different guides about the use of prepared MySQL statements in PHP, and one of the reasons for use this is to prevent SQL injection attacks, I am going to write a little about these attacks that many websites has suffer and continue to suffer even today. More than define what this attack is, the objective is to show how it works.

Managing MySQL from the command line

If our hosting service offer us a SSH shell and have MySQL installed, or if we have MySQL installed in our computer, we can administer a database from the Command Line Interface. If we develop programs that require the use of a MySQL database, most likely we are already familiarized with SQL statements. By the use of the mysql command we can send this queries to the database.

Working with UTF-8 in PHP, MySQL and Apache

As I have previously posted in this website, I believe it is a good idea to standardize in one character encoding across all parts of a system, and as my preferred character encoding is UTF-8, when I create a PHP system I check the following things:

  • That the browser receives and interprets the output of my PHP scripts as UTF-8.
  • That the (X)HTML forms accept UTF-8.
  • That PHP treats the data received from a MySQL database as UTF-8.