Php Security Sql Injection Xss Csrf Prevention Complete Guide

 Last Update:2025-06-22T00:00:00     .NET School AI Teacher - SELECT ANY TEXT TO EXPLANATION.    7 mins read      Difficulty-Level: beginner

Understanding the Core Concepts of PHP Security SQL Injection, XSS, CSRF Prevention

PHP Security: SQL Injection, XSS, CSRF Prevention

1. SQL Injection Prevention

SQL Injection occurs when malicious users manipulate SQL queries to extract unauthorized data from a database or perform unauthorized actions. Employing Prepared Statements/Templates and Parameterized Queries can mitigate these risks. Here's how:

  • Prepared Statements: Use the mysqli or PDO (PHP Data Objects) extension to prepare SQL queries before executing them. These functions replace SQL parameters (? or named placeholders :param in PDO) with actual values after escaping them, enhancing security.

    // Using PDO
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username");
$stmt->execute(['username' => $username]);

  • Escaping User Input: Although deprecated in favor of prepared statements, PDO::quote() or mysqli_real_escape_string() can sanitize input; however, using prepared statements is more reliable.

    // Deprecated method - Avoid
$safeUsername = $pdo->quote($username);  // or $safeUsername = mysqli_real_escape_string($conn, $username);
$stmt = $pdo->query("SELECT * FROM users WHERE username = $safeUsername");

  • Use of Modern Libraries: Choose libraries or frameworks that follow secure practices by default. Eloquent ORM provided by Laravel, for example, automatically uses prepared statements unless explicitly told otherwise.

2. Cross-Site Scripting (XSS) Prevention

XSS attacks enable attackers to inject client-side scripts (JavaScript) into web pages viewed by other users. These scripts can steal session cookies, steal sensitive information, log keystrokes, or perform other malicious actions. Implement the following strategies to prevent XSS:

  • HTML Entity Encoding: Convert user-generated content to HTML entities to prevent browsers from executing them as JavaScript. PHP functions htmlspecialchars() and htmlentities() are effective for this purpose.

    echo htmlspecialchars($userContent, ENT_QUOTES, 'UTF-8'); // Converts <, >, &, ", and ' to HTML entities

  • Content Security Policy (CSP): Implement CSP to restrict the sources from which content can be loaded in your web application, providing an additional layer of defense against XSS.

    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' https://trusted.cdn.com">

  • Filter Input, Sanitize Output: Always sanitize and validate user inputs and encode outputs after processing, not before outputting.

3. Cross-Site Request Forgery (CSRF) Prevention

CSRF attacks trick a user into submitting a request they did not intend to make to a web application they are authenticated on. Here are methods to protect against CSRF:

  • CSRF Tokens: Include unique, secret tokens in forms that can only be generated and verified by the server. Tokens should be unique and random for each request.

    // Generate and store token in session
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));

// Include in form
<form method="post">
    <input type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($_SESSION['csrf_token']); ?>">
    <!-- ... -->
</form>

// Verify on server-side
if ($_POST['csrf_token'] !== $_SESSION['csrf_token']) {
    die("Invalid CSRF token");
}

  • Double Submit Cookie Pattern: Store the CSRF token in both a cookie and the request parameter. On the server side, compare both tokens before processing the request.

    // Set cookie
setcookie('CSRF-Token', $token, ['samesite' => 'strict', 'path' => '/']);

// Include in form
<form method="post">
    <input type="hidden" name="CSRF-Token" value="<?php echo htmlspecialchars($token); ?>">
</form>

// Server-side verification
if ($_POST['CSRF-Token'] !== $_COOKIE['CSRF-Token']) {
    die("Invalid CSRF token");
}

  • SameSite Cookie Attribute: Set the SameSite attribute on cookies to Strict or Lax, preventing the cookie from being sent with cross-site requests.

Online Code run

🔔 Note: Select your programming language to check or run code at

💻 Run Code Compiler

Step-by-Step Guide: How to Implement PHP Security SQL Injection, XSS, CSRF Prevention

1. Preventing SQL Injection

Problem: SQL Injection is a type of attack where malicious SQL statements are inserted into an entry field for execution.

Solution: Use prepared statements with parameterized queries.

Example:

Suppose you have a login form, and you are capturing the user's credentials via POST method.

Vulnerable Code:

<?php
$servername = "localhost";
$username = "user";
$password = "pass";
$dbname = "myDB";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

$user = $_POST['username'];
$pass = $_POST['password'];

// Vulnerable query
$sql = "SELECT * FROM users WHERE username='$user' AND password='$pass'";
$result = $conn->query($sql);

if ($result->num_rows > 0) {
    // output data of each row
    while($row = $result->fetch_assoc()) {
        echo "id: " . $row["id"]. " - Name: " . $row["username"]. "<br>";
    }
} else {
    echo "0 results";
}

$conn->close();
?>

Secure Code:

<?php
$servername = "localhost";
$username = "user";
$password = "pass";
$dbname = "myDB";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

$user = $_POST['username'];
$pass = $_POST['password'];

// Prepare and bind
$stmt = $conn->prepare("SELECT * FROM users WHERE username=? AND password=?");
$stmt->bind_param("ss", $user, $pass);

// Execute the statement
$stmt->execute();

$result = $stmt->get_result(); // Get the result set
if ($result->num_rows > 0) {
    // output data of each row
    while($row = $result->fetch_assoc()) {
        echo "id: " . $row["id"]. " - Name: " . $row["username"]. "<br>";
    }
} else {
    echo "0 results";
}

$stmt->close();
$conn->close();
?>

2. Preventing Cross-Site Scripting (XSS)

Problem: XSS is a type of security vulnerability that allows attackers to inject client-side scripts into web pages viewed by other users.

Solution: Properly sanitize and escape user inputs to prevent injecting malicious script code.

Example:

Imagine you have a comments section where users can post comments.

Vulnerable Code:

<?php
if (isset($_POST['comment'])) {
    $comment = $_POST['comment'];
    echo "<p>" . $comment . "</p>";
}
?>

Secure Code:

<?php
if (isset($_POST['comment'])) {
    // Sanitize the input
    $comment = htmlspecialchars($_POST['comment'], ENT_QUOTES, 'UTF-8');
    echo "<p>" . $comment . "</p>";
}
?>

3. Preventing Cross-Site Request Forgery (CSRF)

Problem: CSRF is a type of attack that forces an end user to execute unwanted actions on a web application in which they're authenticated.

Solution: Use anti-CSRF tokens in forms.

Example:

Suppose you have a form to edit user details.

Secure Code:

First, generate a random token when the form is loaded and store it in a session:

<?php
session_start();

// Generate a CSRF token
$token = bin2hex(random_bytes(32));
$_SESSION['csrf_token'] = $token;

// Display login form with token
?>
<form method="POST" action="edit_user.php">
    <input type="hidden" name="csrf_token" value="<?php echo $token; ?>" />
    <input type="text" name="name" placeholder="Your name">
    <input type="email" name="email" placeholder="Your email">
    <button type="submit">Update</button>
</form>

Then, validate the token when the form is submitted:

You May Like This Related .NET Topic

📥 Download Code ▶️ Watch Online 📖 Read Description

Login to post a comment.