Professional PHP Development Blog

As a PHP developer, I work quite a bit with MySQL database tables, having worked with several in the 40 Million + record range, as well as having to do several complex projects involving, in one case, interactions between over 60 different tables (not something I hope to do again, believe me).

One thing that always surprises me when working on code written by others is how frequently the code is subject to what is called MySQL Injection Attacks.

Although some servers handle it automatically (which is highly undesirable, for several reasons), anytime you use any user-submitted data in a MySQL query, you MUST “escape” the data to ensure that it is safe from an “Injection Attack”.

For those of you who are programmers and are unfamiliar with what I mean, you can read up on the subject more at the PHP Manual, but regardless of which database abstraction library you use (or if you directly use PHP’s MySQL class/funtions), always ensure that you have the database secured by escaping everything.

I won’t post examples here, as the link above has several excellent examples of ways to prevent it, and all decent database abstraction libraries should have their method of escaping the data implemented and documented. Just ensure that you use the methods provided!

P.S. I am currently able to accept a limited number of additional clients for my PHP Development services. Interested in discussing the possibility of my handling your project for you? Contact me!