Database Reference
In-Depth Information
One method of preventing SQL injection with a MySQL API is to useplaceholders in-
stead of literal values. We used these in previous examples in this chapter. This method
will isolate the data that will be added to the SQL statement. It does this by escaping
single and double quotes. It may not seem like much, but it's fairly effective.
The previous SQL statements intended by the hacker will look instead as follows if place-
holders are used:
SELECT
common_name
,
scientific_name
FROM
birds
WHERE
common_name
LIKE
'%\'
;
GRANT ALL
PRIVILEGES
ON
*.*
TO
\
'bad_guy\'
@
\
'%\'
;
%
'
;
Because the quote marks the hacker entered are escaped, MySQL will treat them as literal
values and won't see them as the end of string values. Therefore, it won't start a new SQL
statement when it encounters the semicolons he entered. It won't return the names of any
birds, because the value won't equal any rows in the table. More important, a
bad_guy
user won't becreated.
