0

Possible Duplicate:
How to prevent SQL injection in PHP?

If user input is inserted into an SQL query directly, the application becomes vulnerable to SQL injection, like in the following example:

$unsafe_variable = $_POST['user_input'];

mysql_query("INSERT INTO table (column) VALUES ('" . $unsafe_variable . "')");

That's because the user can input something like value'); DROP TABLE table;--, making the query:

INSERT INTO table (column) VALUES('value'); DROP TABLE table;--')

What should one do to prevent this?

Community
  • 1
  • 1
user2008265
  • 38
  • 2
  • 2
    Prepared statements are your friend. But you can't use them if you use mysql_*, and besides, mysql_* is effectively deprecated and you shouldn't use it anyway. Switch to mysqli or PDO instead. – GordonM Jan 24 '13 at 16:41

1 Answers1

3

use mysql_real_escape_string($_POST['data']);

or i would suggest using PDO library instead

GGio
  • 7,563
  • 11
  • 44
  • 81