106Views1Replies

Author Options:

How can I prevent SQL-injection in PHP? Answered

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL Injection, like in the following example:

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");

That's because the user can input something like value'); DROP TABLE table;--, and the query becomes:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

What can be done to prevent this from happening?

Thanks!

Tags:sql

1 Replies

user
steveastrouk (author)2014-07-22

Just use parameterised queries.

Select as Best AnswerUndo Best Answer