In PHP how can I prevent SQL injection ?

Question

asked Nov 29, 2020 in SQL by Appu (6.1k points)

The application becomes vulnerable to SQL injection if the user inserts the input without modification in a SQL query, example:

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");

It is because, user can input something like value'); DROP TABLE table;--, and query becomes like:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

To prevent this what should be done?

1 Answer

Related questions

0 votes

1 answer

SQL injection that gets around mysql_real_escape_string()

asked Dec 31, 2020 in SQL by Appu (6.1k points)

0 votes

1 answer

MySQL - count total number of rows in php

asked Dec 31, 2020 in SQL by Appu (6.1k points)

0 votes

1 answer

PHP & MySQL: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given

asked Nov 29, 2020 in SQL by Appu (6.1k points)

0 votes

1 answer

SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax — PHP — PDO

asked Dec 2, 2020 in SQL by Appu (6.1k points)

0 votes

1 answer

How to use PHP foreach with MySql

asked Dec 19, 2020 in SQL by Appu (6.1k points)

Mano · Answer 1 · 2020-11-29T16:06:41+0000

I would recommend using PDO (PHP Data Objects) to run the parameterized SQL queries.

Not only does this protect against the SQL injection, but it also speeds up the queries.

And by using PDO rather than mysql_, mysqli_, and pgsql_ functions, you make your application a little more abstracted from the database, in the rare occurrence that you have to switch database providers.

If you want to learn more about SQL, Check out this SQL Certification by Intellipaat.

In PHP how can I prevent SQL injection ?

1 Answer

Related questions

Browse Categories