How can I prevent SQL injection in PHP?
Posted: Mon Mar 17, 2014 6:51 am
If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example:
That's because the user can input something like value'); DROP TABLE table;--, and the query becomes:
What can be done to prevent this from happening?
Code: Select all
$unsafe_variable = $_POST['user_input']; Code: Select all
mysql_query("INSERT INTO table (column) VALUES ('" . $unsafe_variable . "')");Code: Select all
INSERT INTO table (column) VALUES('`**`value'); DROP TABLE table;--`**`')