Site Owners Forums - Webmaster Forums - View Single Post

Jack Hard · 05-06-2013, 04:46 AM

If user input is inserted into an SQL query directly, the application becomes vulnerable to SQL injection, like in the following example:

$unsafe_variable = $_POST['user_input'];

mysql_query("INSERT INTO table (column) VALUES ('" . $unsafe_variable . "')");

That's because the user can input something like value'); DROP TABLE table;--, making the query:

INSERT INTO table (column) VALUES('value'); DROP TABLE table;--')

What should one do to prevent this?

05-06-2013, 04:46 AM	#1
Jack Hard Registered User Join Date: Dec 2012 Posts: 25	How to prevent SQL injection in PHP? If user input is inserted into an SQL query directly, the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO table (column) VALUES ('" . $unsafe_variable . "')"); That's because the user can input something like value'); DROP TABLE table;--, making the query: INSERT INTO table (column) VALUES('value'); DROP TABLE table;--') What should one do to prevent this?