added 1 character in body; edited title
Source Link
Ry-
  • 207.6k
  • 53
  • 432
  • 444

How can I prevent SQL-injection injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injectionSQL injection, like in the following example:

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");

That's because the user can input something like value'); DROP TABLE table;--, and the query becomes:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

What can be done to prevent this from happening?

How can I prevent SQL-injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example:

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");

That's because the user can input something like value'); DROP TABLE table;--, and the query becomes:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

What can be done to prevent this from happening?

How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example:

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");

That's because the user can input something like value'); DROP TABLE table;--, and the query becomes:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

What can be done to prevent this from happening?

Post Locked by Robert Harvey
Notice added Wiki Answer by Robert Harvey
This question was first posed to address PHP specifically, and the answers reflect that. **This is not a canonical answer for any language.** Add PHP back in...
Link
user456814
user456814

How can I prevent SQL injection-injection in PHP?

Removed horizontal scrollbars, it's distracting.
Source Link
user456814
user456814

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example:

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO `table` (`column`) VALUES ('" . $unsafe_variable . "''$unsafe_variable')");

That's because the user can input something like value'); DROP TABLE table;--, and the query becomes:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

What can be done to prevent this from happening?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example:

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO `table` (`column`) VALUES ('" . $unsafe_variable . "')");

That's because the user can input something like value'); DROP TABLE table;--, and the query becomes:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

What can be done to prevent this from happening?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example:

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");

That's because the user can input something like value'); DROP TABLE table;--, and the query becomes:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

What can be done to prevent this from happening?

Removed tag from title.
Link
apxcode
  • 7.6k
  • 7
  • 26
  • 39
Loading
Removed literal ** from code block since not interpreted as markdown inside code block.
Source Link
toxalot
  • 10.4k
  • 6
  • 34
  • 56
Loading
Added grave accent's to query's
Source Link
Companjo
  • 1.8k
  • 18
  • 22
Loading
Rollback to Revision 38
Source Link
Josh Crozier
  • 216.4k
  • 53
  • 361
  • 285
Loading
Added more explanation.
Source Link
Madurai
  • 297
  • 2
  • 16
Loading
Rollback to Revision 36
Link
Your Common Sense
  • 154.4k
  • 37
  • 203
  • 323
Loading
Removed mysql tag
Link
Loading
Replaced sentence with a more appropriate version.
Source Link
Andrew
  • 3.1k
  • 3
  • 23
  • 40
Loading
added 12 characters in body
Source Link
Chris Cooper
  • 16.7k
  • 9
  • 51
  • 70
Loading
added 1 characters in body
Source Link
sybear
  • 7.8k
  • 1
  • 21
  • 38
Loading
deleted 54 characters in body
Source Link
tckmn
  • 55k
  • 23
  • 107
  • 152
Loading
added 4 characters in body
Source Link
Chris Seymour
  • 79.2k
  • 28
  • 153
  • 191
Loading
deleted 2 characters in body
Source Link
Deepu
  • 11.6k
  • 13
  • 55
  • 88
Loading
Edited with code tags
Source Link
Joran Den Houting
  • 3.1k
  • 3
  • 20
  • 50
Loading
added 2 characters in body
Source Link
j0k
  • 22.2k
  • 28
  • 76
  • 86
Loading
changed back to mysql_* changing it to mysqli_* does NOTHING....
Source Link
Naftali
  • 141.6k
  • 39
  • 237
  • 299
Loading
edited tags
Link
Zaffy
  • 15.5k
  • 8
  • 47
  • 75
Loading
edited title
Link
yoozer8
  • 7.1k
  • 6
  • 53
  • 88
Loading
Changed mysql to mysqli
Source Link
pattyd
  • 5.6k
  • 10
  • 36
  • 57
Loading