Chances are if you are using a database and your application errors out when you enter ‘ or ” into a field and you get an error this usually means your prone to SQL injection. While SQL injection is very dangerous it’s relatively simple to resolve. Now I say its simple but it could mean lots of re-work for you.
I don’t want to talk about how to prevent and cure SQL injection. But, I want to show a solution to this problem. There are already so many great resources out there on how to resolve this issue.
Really the best quick thing you can do is escape all ” and ‘. PHP has a lot of really useful commands to carry out this like mysql_real_escape_string(deprecated) But, probably the biggest thing that can be done is to use PDO(PHP Data Objects).
This sample query
$sql = <<<SQL
SELECT * FROM users WHERE users.id = ‘123’;
SQL;would turn into something like this
$sql = <<<SQL
SELECT * FROM users WHERE users.id = :user_id
SQL;
$sth = $dbh->prepare($sql);
$sth->execute([‘:user_id’ => ‘1234’]);
$results = $stmt->fetchAll(PDO::FETCH_ASSOC)
Some useful links:
- http://php.net/manual/en/security.database.sql-injection.php
- https://phpdelusions.net/pdo
- https://www.w3schools.com/sql/sql_injection.asp