About a decade and a half ago I picked up PHP. After having made a few less than decent websites in HTML I wanted a little more so I started constructing a basic blog applications. Hundreds, or rather thousands, of uninformative error messages later, I had my blog system running. Of course, as a under-aged boy living in the nineties, a free web-host with a busload of ads was my weapon of choice. Due to the inherent limitations of those free hosts I had to be creative and set up my blog using a flat file system. Amazingly this worked, but it became clear (after I had transformed the blog to a more advanced forum, creating blank text files for every new thread) that there might be a better, easier and most of all safer way to do this.

And so there was, I found a great web-host that gave me all I wanted and let me install anything I'd like; apache on my home pc! And with apache came MySQL, an awesome database with one of the best visual editors I've come across so far (phpMyAdmin). Like many enthusiasts out there I started making PHP scripts that communicated back and forth with a giant database, showed users what they requested and showed me which links had been most popular. There was one thing though...

SQL injections became a major problem for a large amount of websites. PHP, at least at first, did not challenge users to bother about sql injections, especially with the incomprehensible magic_quotes option we were 'given'. Luckily nowadays PHP has deprecated this ridiculous, or rather dangerous, functionality. However, a lot of scripts still incorporate the old, no need to worry attitude, which is a heritage from the ancestors of PHP5. The wikipedia entry of sql injections (yeah, I know) shows an extensive listing of major security breaches resulting from sql injections. After having spent some time on different websites searching for a solution I found that it is not at all as easy to find the pretty simple, and straightforward, answer to this problem.

Then, however, I stumbled upon the w3schools excellent SQL tutorials, which include a perfectly readable entry on SQL injections. And, as it turns out, avoiding them is ridiculously easy. All programmers have to do is avoid preparing a string including user input and feed it to SQL, but rather feed the string, with variables to SQL, and then provide the engine with the variables:

$dbConnection =new PDO('mysql:dbname=dbtest;host=127.0.0.1;charset=utf8','user','pass');
$dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES,false);
$dbConnection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $dbConnection->prepare("INSERT INTO Customers (CustomerName,Address,City) VALUES (:nam, :add, :cit)");
$stmt->bindParam(':nam', $txtNam);
$stmt->bindParam(':val', $txtAdd);
$stmt->bindParam(':cit', $txtCit);
$stmt->execute();

This approach uses the PDO bindParam statement from the PDO class, and seems to be working great. Another effective option might be the mysqli class, though I have not tested it yet.