if you search for ‘ or ” and it breaks your software

, ,

Chances are if you are using a database and your application errors out when you enter ‘ or ” into a field and you get an error this usually means your prone to SQL injection. While SQL injection is very dangerous it’s relatively simple to resolve. Now I say its simple but it could mean lots of re-work for you.

I don’t want to talk about how to prevent and cure SQL injection. But, I want to show a solution to this problem. There are already so many great resources out there on how to resolve this issue.

Really the best quick thing you can do is escape all ” and ‘. PHP has a lot of really useful commands to carry out this like mysql_real_escape_string(deprecated) But, probably the biggest thing that can be done is to use PDO(PHP Data Objects).


This sample query

$sql = <<<SQL
SELECT * FROM users WHERE users.id = ‘123’;

would turn into something like this

$sql = <<<SQL
SELECT * FROM users WHERE users.id = :user_id
$sth = $dbh->prepare($sql);
$sth->execute([‘:user_id’ => ‘1234’]);
$results = $stmt->fetchAll(PDO::FETCH_ASSOC)


Some useful links:

  • http://php.net/manual/en/security.database.sql-injection.php
  • https://phpdelusions.net/pdo
  • https://www.w3schools.com/sql/sql_injection.asp