jackhard Posted April 20, 2013 Share Posted April 20, 2013 If user input is inserted into an SQL query directly, the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input'];mysql_query("INSERT INTO table (column) VALUES ('" . $unsafe_variable . "')");That's because the user can input something like value'); DROP TABLE table;--, making the query: INSERT INTO table (column) VALUES('value'); DROP TABLE table;--') What should one do to prevent this? Link to comment https://forums.phpfreaks.com/topic/277167-how-to-prevent-sql-injection-in-php/ Share on other sites More sharing options...
trq Posted April 20, 2013 Share Posted April 20, 2013 For starters, the mysql extension has been deprecated in favour of mysqli or PDO. Both of which support prepared statements. If you really must use the mysql extension, take a look at mysql_real_escape_string at least. Link to comment https://forums.phpfreaks.com/topic/277167-how-to-prevent-sql-injection-in-php/#findComment-1425919 Share on other sites More sharing options...
jugesh Posted April 20, 2013 Share Posted April 20, 2013 Here is a nice article on SQL Injection.Please go through the link. http://www.veracode.com/security/sql-injection Link to comment https://forums.phpfreaks.com/topic/277167-how-to-prevent-sql-injection-in-php/#findComment-1425920 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.