Back

Explore Courses Blog Tutorials Interview Questions

In PHP how can I prevent SQL injection ?

0 votes
2 views
in SQL by (6.1k points)

The application becomes vulnerable to SQL injection if the user inserts the input without modification in a SQL query, example:

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");

It is because, user can input something like value'); DROP TABLE table;--, and query becomes like:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--') 

To prevent this what should be done? 

1 Answer

0 votes
by (12.7k points)
edited by

I would recommend using PDO (PHP Data Objects) to run the parameterized SQL queries.

Not only does this protect against the SQL injection, but it also speeds up the queries.

And by using PDO rather than mysql_, mysqli_, and pgsql_ functions, you make your application a little more abstracted from the database, in the rare occurrence that you have to switch database providers.

If you want to learn more about SQL, Check out this SQL Certification by Intellipaat.

Related questions

0 votes
1 answer
SQL injection that gets around mysql_real_escape_string()
asked Dec 31, 2020 in SQL by Appu (6.1k points)
0 votes
1 answer
MySQL - count total number of rows in php
asked Dec 31, 2020 in SQL by Appu (6.1k points)
0 votes
1 answer
How to use PHP foreach with MySql
asked Dec 19, 2020 in SQL by Appu (6.1k points)

Browse Categories

© COPYRIGHT 2011-2023 INTELLIPAAT.COM. ALL RIGHTS RESERVED.

Download Salary Trends Now !

Learn how professionals like you got up to 100% Salary Hike.

...