Home » Php » mysql – piece of php code for prevent hacking

mysql – piece of php code for prevent hacking

Posted by: admin July 12, 2020 Leave a comment


I have a php file at my site, and I connect to db, get some records and list them in same file.

mysql_connect("localhost", "blabla", "blabla") or die(mysql_error());
mysql_select_db("blabla") or die(mysql_error());

$blabla1 = mysql_query("SELECT * FROM gallery WHERE id_cat=1");
$blabla2 = mysql_query("SELECT * FROM gallery WHERE id_cat=2");
$blabla3 = mysql_query("SELECT * FROM gallery WHERE id_cat=3");

So, is there anything I need to do for security? Like sql-injection or anything else. there is nothing going to url. It is just www.blabla.com/gallery.php.

How to&Answers:

This snippet is perfectly safe, because there are no variables put into the query string.

To work safely in case you have to deal with variables one day – be they directly coming in from the user, or from another data source – you may want to switch over to a mySQL library that supports parametrized queries, like PDO. Those eliminate the danger of injections completely, because they take care of escaping the incoming data automatically.

If you stick with the mysql_* functions, make sure you escape all incoming any data using mysql_real_escape_string() and ensure they are inserted within a pair of single quotes.


As long as your queries don’t use parameters, SQL Injection is not a risk.
SQL Injection can only happen when the users (or other sources) can influence anything that is send to the database in SQL, for example searchwords


There are no security issues here. SQL injection might happen where you get input from the user and use it in your queries.


if gallery table contain some user input, then some XSS attack may be conducted. To prevent this, all untrusted user input must be prepared using htmlspecialchars() function before printing to the browser.


This snippet is safe, as there is no user provided input in the queries.

if you have userinput, for example by getting the category that should be displayed from the URL or from POST you should use prepared statements. this may you are safe even with user input. This is much safer than pure escaping because the sql is parsed and then the parameters are inserted. This is better for performance and the userinput can’t change the structure of the sql query.


The only thing that you might want to consider, assuming that the connection code is in the web-accessible PHP script, is to either:

  1. move the MySQL connection out of the
    script and into a file outside of
    the site’s document root

  2. or, use externally-sourced variables
    (i.e. from a different file outside
    of the document root) for the
    username and password in place of
    hard-coded details in the script

That way if, for whatever reason the server displays the code instead of rendering the PHP, then the details will remain safe from view