Here I will use PHP and MySQL examples for its wide usage and also I’m much more comfortable with it.

Here is a basic PHP code that most developers will come up with to access the MySQL DB and get the record of a particular username submitted from a form in our website.

<?php
# Get posted username value
$userName = $_POST["usname"];
# MySQL query string to get the record of the user
$queryStr = "SELECT * FROM users WHERE usname = '$userName'");
# Output the string for debugging
echo $queryStr;
# Execute the MySQL query
$result = mysql_query($queryStr) or die(mysql_error());
?>

For example if the username that was submitted is nazly the code will output the following query and execute it.

SELECT * FROM users WHERE usname = 'nazly'

While the query works perfectly and returns the record of that particular user, a attacker can exploit this code by injecting SQL using the submission form.

For example if the attacker submits ‘ OR ‘t’='t instead of the username the query will be formed like this.

SELECT * FROM users WHERE usname = '' OR 't'='t'

When this query is executed, it will return all the records in the database since t=t will be TRUE always. The impact it will have on the website will be depend on the code after executing the query. But the important thing is someone can make the query behave differently than what we actually expected from it.

It can become deadlier than that if someone submits the following instead of the username
a’;DROP TABLE users; SELECT * FROM userinfo WHERE ‘t’ = ‘t
The query for the above value will look like this

SELECT * FROM users WHERE usname = 'a';
DROP TABLE users;
SELECT * FROM userinfo WHERE 't' = 't'

If the above query is executed, it will delete the whole users table. Similarly an attacker can inject any type of SQL code to modify/delete your tables in the database.

It is a huge security flaw in your code but newbies and even some experienced developers don’t understand the depth of problem. So developers should make sure to take precautionary measures against it.

In PHP you can use the mysql_real_escape_string() function for this task. This function will escape any special characters in the string to be used in a SQL statement.

<?php
# Get posted username value by escaping special characters
$userName = mysql_real_escape_string($_POST["usname"]);
# MySQL query string to get the record of the user
$queryStr = "SELECT * FROM users WHERE usname = '$userName'");
# Output the string for debugging
echo $queryStr;
# Execute the MySQL query
$result = mysql_query($queryStr) or die(mysql_error());
?>

If you try to inject SQL to this example, it will have no affect to the Database since the use of this function

If you are a developing a WordPress plugin for your website, you must make sure to protect the site against SQL injection as well. Since WordPress has its own class for database manipulation you should use the methods available in WordPress.

The escape() function in the WPDB class is much similar to using the standard mysql_real_escape_string() function.

<?php
function myWpPluginFunc($usName){
    global $wpdb;
    $u = $wpdb->escape($usName);
    $wpdb->query("SELECT * FROM users WHERE usname = '$u'");
}
?>

But there is a better option available in WordPress. Rather than escaping individual values you can format the SQL statement and then use the prepare() function in the WPDB class to escape the special characters. The syntax is similar to using sprintf(). Using the prepare() function, the developer is sure that all values are escaped. So less chance for errors.

<?php
function myWpPluginFunc($usName){
    global $wpdb;
    $qstr = $wpdb->prepare("SELECT * FROM users WHERE usname = %s", $usName);
    $wpdb->query($qstr);
}
?>

For more check out Data Validation in WordPress.

I wish MySQL functions in PHP had a similar function like WordPress’s prepare()

Export/Backup

Using the mysqldump client it is possible to backup a database into a SQL file which will contain SQL statements that can recreate the database tables when restored.

The following command from shell can be executed to backup a specific database

mysqldump -u [username] -p [password] [databasename] > [backupfile.sql]

Click Here for more options on using mysqldump

Import/Restore

You can use this command from shell to restore the database using the SQL dump file

mysql -u [username] -p [password] [databasename] < [backupfile.sql]

So thats quite basic and safest ways to import/export. But then you might ask whats the options you have if you are on a shared server and do not have SSH access. Well then PHPMyAdmin is the only choice available coz its web-based. Most servers have PHPMyAdmin as an option in the Server's Control Panel. Worst case if you don't have it or cannot find it you simply can download the source from www.phpmyadmin.net and upload the files via FTP and set it up. Installation is quite simple if you follow the Documentation.txt file. Once it is setup you can create databases etc. When you have selected a database from the left panel there will be tabs called SQL and Export. Using the SQL tab you can restore the database using your SQL dump file. Similarly you can use the Export option to export the data to a SQL file.

But then again you come across problems when you have a large MySQL dump. Exporting a large database won't be a problem but there are times that the SQL dump file tends to get corrupted for various reasons. Importing a large SQL dump file would create a problems coz with default installations there is a 2MB upload limit. This is not a PHPMyAdmin limit. This limit is set in the PHP configuration. To increase this upload limit you have to change the post_max_size and upload_max_filesize directives in the php.ini and then you can restore a large SQL dump. But if you are on a shared hosting server its highly unlikely that you can change the directives in the php.ini file. So thats where most people get stuck. When you are moving from your local machine to the server this is one problem you will face. Similar problem I faced when I had to move a large database from a server that I could SSH to a shared hosting server. I dumped the database to a SQL file using mysqldump command line utility and then when I tried to restore using PHPMyAdmin there was this upload limit. Arghh.. At that time I simply split the file manually into smaller files which are less than 2MB and uploaded one by one. It came to about 7 files at that time so didn't really bother about splitting them manually. This is a dirty trick but still effective but I won't suggest you to use this method. At a later time when I came across a similar instance I planned to write a tiny PHP script that would do the job. But thankfully I got a new server that I could SSH into.

So things can get bit messy at these situations so gotta figure out ways to overcome those with the limited resources we have. Lately I found BigDump: Staggered MySQL Dump Importer which seems to do the job on the web servers with hard runtime limit. So I guess I have more choices now. I haven't tried out this yet. Hopefully can play around with this next time when I have tight limits.

Copy one record from a table to another

1

INSERT INTO `dest_table` SELECT * FROM source_table WHERE id = '10'

It can be very simple as this. Even multiple records can be copied from a single table or several tables. If I'm not mistaken INSERT … SELECT works on MySQL versions 4.1 and above.