This page is not yet available in Spanish. We are working on its translation. If you have any questions or feedback about our current translation project, feel free to reach out to us!
SQL Injection is a common and serious security vulnerability where an attacker can manipulate SQL queries by injecting malicious input. SQL Injection can lead to unauthorized data access, data corruption, or even data loss.
The rule specifically targets PHP code that constructs SQL queries using unsanitized input. This practice is risky as it allows potentially harmful data to directly interact with the database. For instance, if a user is able to pass input that is directly used in a SQL WHERE clause, they could manipulate the query to return unintended data, or even execute arbitrary SQL statements.
To avoid violating this rule and to prevent SQL Injection, you should never build SQL queries using raw, unsanitized input. Instead, use prepared statements, parameterized queries, or ORM methods that automatically sanitize inputs. These practices ensure that user input cannot interfere with the query structure. Another good practice is to allowlist permitted inputs, particularly when dealing with identifiers such as column names, which can’t be parameterized in the same way as data values. For example, if you need to order by a user-specified column, ensure the column name is one of a predefined list of allowable columns.