A way of globalising the mysql function to avoid sql injection

Question

Keep in mind please that I am learning still. I am working on a website and I am simply adjusting and copying codes for the most part, from the existing ones, because that's the easiest way for me to understand them.

I keep getting an sql error that is caused by the use of apostrophes, and I've started putting in the mysql_real_escape_string() for every text field, which solved the individual problems.

Now this is genuinely just me asking for help. Please don't be sarcastic, I am really just trying to learn and this has been the best place to ask questions, so here:

Is there any way of fixing a general setup that will filter out the apostrophes that interfere? Basically anything that will help the site in general be protected against sql injection? Any help would be greatly appreciated :)

Answer 1

The general solution: all the parameters (values) should be passed through prepared statement placeholders

http://nz.php.net/manual/en/pdo.prepare.php

http://nz.php.net/manual/en/mysqli.prepare.php

Answer 2

Is there any way of fixing a general setup that will filter out the apostrophes that interfere?

Definitely NO.

Long time ago there was one, but nowadays it's defamed, deprecated and excommunicated (as it never worked as intended and failed it's purpose).

The problem you face is coming from the fact that SQL query being a program. So, you have to follow the syntax rules creating this program, just like with any other program language. If you happen to create a PHP program, you have to take care of the irritating apostrophes as well - you can't put it all over the code in random places, but each have to have it's strict syntactical meaning, or - if an apostrophe being part of the data - it have to be properly escaped .

So, it is just syntax issue.
The best way to solve the problem is to separate the code from the data.
Native prepared statements gives you that possibility.
You can create a program - the query itself - and eventually bind some variables to it, so, the program code and the date being sent to the SQL server separately.
That's why prepared statements considered the best way of creating dynamical SQL queries.

But of course you have to bind each variable to it's query explicitly - so, there is no generalized way.

However, you can use some helper to do the binding automatically, so, the code become as concise as

$db->run("SELECT * FROM table WHERE id=?",$id); 

which would be both short in writing and perfectly safe at the same time.

Answer 3

Using a data access layer that does this for you is a far better way than manually protecting each query parameter. Not only because it's tedious, but because there'll be that one critical parameter you'll forget eventually.

I used SafeSQL back when I still did PHP -- it's very light and unobtrusive... but plugging it in if you're a beginner might still be a daunting task.