Skip to main content

Remediation Steps

Follow the steps below to remediate this finding on Generic / Developer guidance.

  1. MySQL-specific SQL injection exploits MySQL syntax and functions.

  2. Remediation:

    • Use PDO or MySQLi with prepared statements — never string-concatenate user input into queries.
    • Disable MySQL's LOAD_FILE() and INTO OUTFILE privileges for the application user:
    REVOKE FILE ON *.* FROM 'appuser'@'localhost';
• Set the MySQL user to only have SELECT, INSERT, UPDATE, DELETE on the application database — never GRANT or SUPER.
• Enable MySQL's strict mode to prevent data truncation exploitation:
SET GLOBAL sql_mode = 'STRICT_TRANS_TABLES,NO_ENGINE_SUBSTITUTION';
Back to top