I understand that the best way to prevent SQL Injection is to use server side Prepared Statements (Parameterized Queries) and input validation on the client.

This seems to be necessary for INSERT, UPDATE and REPLACE statements only, since they change the database.

Can someone point me to some good examples for Prepared Statements for PHP / MySQL on Apache?

What is the performance impact of Prepared Statements ?

Thanks,
David

Incorrect. Even SELECT statements can be used for SQL Injection. The idea is that an SQL transaction is hidden in the SELECT statement.

input validation at the client yes, input validation at the server definately
make use of the inbuilt PHP functions such as mysql_real_escape_string

don't trust anything from outside the system (any user input)
don't trust anything that may be stored on or modified on the remote system (eg cookies, POST,GET or other variables)

in essence this is to big a topic for a site such as this, in part because we don't seem to get much activity on the PHP forums these days. so I'd suggest you find a site which specialises in PHP

you may also want to look at
mysql_client_encoding() - Returns the name of the character set
addslashes() - Quote string with slashes
stripslashes() - Un-quotes a quoted string
The magic_quotes_gpc directive
The magic_quotes_runtime directive

Thanks a lot for your replies.
No SQL statements come directly from the client in my application.
The client sends parameter values or JSON objects (as strings) to PHP.
PHP stores all SQL statements in an include-directory that is only accessible locally on the server.

So when I validate on the client AND on the server with:
1. erasing suspicious keywords (can anyone point to a list?)
2. erasing suspicious characters (can anyone point to a list?)
3. then escaping with mysqli_real_escape_string
4. then using the validated parameters in Prepared Statements (Parameterized Queries)
5. data transfer between client and PHP only over secure SSL protocol.


I should be on the safe side,

right?


David

PHP is designed to be aware of prblems of SQL injection attacks, providing the developer uses the appropriate functions that shoudl stop soemone tagging the payload on the back of the SQL query.

providing you make certain that the SQL sent to teh server is what you expect then there shouldnt' be an issue

as others have said
injection attacks are an attemtp by a scumbag to tack on another bit of SQL on the back of what you intended.
usually thats trying to get usernames & passwords.

as said before this isn't 'the' forum for PHP...... the google reference to the PHP site should help discovering what you need to know