How to prevent SQL injection in PHP?

Mon May 06, 2013 2:21 pm

If user input is inserted into an SQL query directly, the application becomes vulnerable to SQL injection, like in the following example:

$unsafe_variable = $_POST['user_input'];

mysql_query("INSERT INTO table (column) VALUES ('" . $unsafe_variable . "')");

That's because the user can input something like value'); DROP TABLE table;--, making the query:

INSERT INTO table (column) VALUES('value'); DROP TABLE table;--')

What should one do to prevent this?
Jack Hard
 
Posts: 6
Joined: Fri Dec 07, 2012 6:44 am

Return to Web Site Promotion

Who is online

Users browsing this forum: No registered users and 0 guests