how to prevent from sql injection

Question

how can I prevent from sql injection I saw a tutorial where the hacker can check if the website was easy to hack by just adding ' to the url and if it was it would display the error and the line where the error was at. this is my sql

$sql = "SELECT * FROM sell_table WHERE 1=1";


if ($names)
$sql .= " AND names='" . mysql_real_escape_string($names) . "'";

 if ($prices)
$sql .= " AND prices='" . mysql_real_escape_string($prices) . "'";

this is a line that make a name in to a link

$strLink = "<a href = 'person.php?ids=".$row['id']."'>" .$strName.  "</a>";

how can I prevent this from sql injection

In short: forget all that escaping nonsense, do it the only real proper and proven watertight way, ie with parameterized queries. Head over to [bobby-tables.com](http://bobby-tables.com/) for a very good intro on the problem, and solutions in all common programming languages, including php. — fvu, Dec 29 '13 at 00:07
Of course, as this question is asked extremely often here on SO, there are several excellent resources on the subject over here as well - see the "related" column to the right of this text, that's why I'm going to vote to close as a duplicate. — fvu, Dec 29 '13 at 00:09
To add on to fvu's comments, you should avoid using the mysql library as it is deprecated. Your alternatives are mysqli (http://www.php.net/mysqli) or PDO (http://php.net/pdo_mysql) — , Dec 29 '13 at 00:11
While the "main question" is a duplicate, for which this was closed, SQL injection and HTML injection are *different*. Make sure the data is properly escaped *when used* (and still use placeholders for the SQL). In this case it would be appropriate to use *URI escaping* such as with [`http_build_query`](http://www.php.net/manual/en/function.http-build-query.php) for the URL and [`htmlspecialchars`](http://php.net/htmlspecialchars) for the product name. — user2864740, Dec 29 '13 at 00:31

how to prevent from sql injection

0 Answers0