0

If user input is inserting without modification from SQL query, then the application becomes vulnerable to SQL injection, like in the following example:

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");

That's because the user can input something like value '); DROP TABLE table;--, and the query becomes:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

What can be done to prevent this from happening?

Vivek Singh
  • 2,453
  • 1
  • 14
  • 27
  • what's the point of duplicating a well-answered question?? – Alex Shesterov Jun 25 '15 at 11:11
  • You just copied the whole question, literally — that's wrong. The question you copied has >20 answers, some of them are several pages long and cover the topic in details. If that isn't enough, I recommend you to get books on PHP and SQL. – Alex Shesterov Jun 25 '15 at 11:20

1 Answers1

2

There is extensive information through simple Google searches that can guide you in the right direction. To start though:

DON'T USE MYSQL_* FUNCTIONS These are deprecated and will generate warnings. They are not even remotely good practice for modern web development.

USE A DATABASE LIBRARY INSTEAD like PDO or MySQLi. There's plenty of tutorials to get you started and most importantly these libraries take care of SQL injection for you. So use them!

Ciaran
  • 553
  • 3
  • 11
  • 27