jackhard Posted April 20, 2013 Share Posted April 20, 2013 If user input is inserted into an SQL query directly, the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input'];mysql_query("INSERT INTO table (column) VALUES ('" . $unsafe_variable . "')");That's because the user can input something like value'); DROP TABLE table;--, making the query: INSERT INTO table (column) VALUES('value'); DROP TABLE table;--') What should one do to prevent this? Quote Link to comment Share on other sites More sharing options...
trq Posted April 20, 2013 Share Posted April 20, 2013 For starters, the mysql extension has been deprecated in favour of mysqli or PDO. Both of which support prepared statements. If you really must use the mysql extension, take a look at mysql_real_escape_string at least. Quote Link to comment Share on other sites More sharing options...
jugesh Posted April 20, 2013 Share Posted April 20, 2013 Here is a nice article on SQL Injection.Please go through the link. http://www.veracode.com/security/sql-injection Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.