FAUSTINE MWOYA December 13, 2025 2 min read

Jinsi ya Kuzuia SQL Injection Kwenye PHP MySQL (Real Examples)

Jifunze jinsi ya kuzuia SQL Injection kwenye PHP MySQL kwa mifano halisi (real examples), ukitumia MySQLi na PDO ili kulinda database yako dhidi ya attacks.

Utangulizi

SQL Injection ni moja ya mashambulizi hatari zaidi kwenye PHP MySQL systems. Kama haijazuiwa:

❌ Mshambuliaji anaweza kusoma, kubadilisha au kufuta data yote ya database.

Katika post hii, utaona mifano halisi ya makosa (real examples) na njia sahihi za kuyazuia.

SQL Injection ni Nini?

Ni pale ambapo user input inaingizwa moja kwa moja kwenye SQL query bila validation au protection.

Mfano Hatari ❌
$email = $_POST['email'];
$password = $_POST['password'];

$sql = "SELECT * FROM users WHERE email='$email' AND password='$password'";

Mshambuliaji akiweka:

email: ' OR 1=1 --
password: anything

➡️ Ataingia bila credentials sahihi.

Njia Sahihi ya Kuzuia SQL Injection
1️⃣ Tumia Prepared Statements (PDO – Recommended)
$stmt = $pdo->prepare("SELECT * FROM users WHERE email=? AND password=?");
$stmt->execute([$email, $password]);
$user = $stmt->fetch();

✔ User input haitafsiriwi kama SQL code

2️⃣ Prepared Statements (MySQLi)
$stmt = mysqli_prepare($conn, "SELECT * FROM users WHERE email=? AND password=?");
mysqli_stmt_bind_param($stmt, 'ss', $email, $password);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);

✔ Salama zaidi kuliko kutumia query ya kawaida

3️⃣ Usitumie mysqli_real_escape_string() Pekee
$email = mysqli_real_escape_string($conn, $_POST['email']);

❌ Hii peke yake haitoshi kuzuia SQL Injection

✔ Tumia pamoja na prepared statements

4️⃣ Validate na Sanitize Inputs
$email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);

✔ Inazuia data hatari kabla haijafika database

5️⃣ Usihifadhi Password Kama Plain Text

❌ Wrong:

$password = $_POST['password'];

✔ Correct:

$hash = password_hash($_POST['password'], PASSWORD_DEFAULT);

Na verify:

password_verify($password, $hash);
Makosa Makubwa ya Kuepuka ❌

❌ Kuunganisha user input moja kwa moja kwenye SQL

❌ Kutotumia prepared statements

❌ Kuhifadhi password bila hashing

❌ Kuficha SQL errors bila logging

Debug & Security Tips

✔ Tumia PDO + exceptions

✔ Limit DB user permissions

✔ Tumia HTTPS

✔ Log errors badala ya kuzionyesha kwa users

🚀 Unahitaji mfumo au website ya biashara?

Chagua huduma hapa chini kisha mteja bofya moja kwa moja kwenda kwenye ukurasa wa huduma au kuwasiliana nasi kwa WhatsApp.

🌐 Website Design 🏫 Mfumo wa Shule 🗄️Mfumo wa Mauzo 💳 Mfumo wa vikoba 💳 Mfumo wa Ratiba 💬 Chat WhatsApp
Share this post
Previous Next

Comments

0
No comments yet. Be the first to comment.

Continue Reading

Subscribe

Get new updates

Jiunge upokee posts mpya, tutorials, na updates za mifumo moja kwa moja kwenye email yako.

Faulink Support