Intellipaat Back

Explore Courses Blog Tutorials Interview Questions
0 votes
in SQL by (6.1k points)

The application becomes vulnerable to SQL injection if the user inserts the input without modification in a SQL query, example:

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");

It is because, user can input something like value'); DROP TABLE table;--, and query becomes like:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--') 

To prevent this what should be done? 

1 Answer

0 votes
by (12.7k points)
edited by

I would recommend using PDO (PHP Data Objects) to run the parameterized SQL queries.

Not only does this protect against the SQL injection, but it also speeds up the queries.

And by using PDO rather than mysql_, mysqli_, and pgsql_ functions, you make your application a little more abstracted from the database, in the rare occurrence that you have to switch database providers.

If you want to learn more about SQL, Check out this SQL Certification by Intellipaat.

Related questions

0 votes
1 answer
0 votes
1 answer
asked Dec 31, 2020 in SQL by Appu (6.1k points)
0 votes
1 answer
asked Dec 19, 2020 in SQL by Appu (6.1k points)

Browse Categories