How to prevent SQL injection in PHP?

Discussion in 'Website Development & Design' started by Boby Smith, May 6, 2013.

  1. Boby Smith

    Boby Smith
    uix_expand uix_collapse
    Member

    Joined:
    Dec 15, 2011
    Messages:
    30
    Likes Received:
    2
    If user input is inserted into an SQL query directly, the application becomes vulnerable to SQL injection, like in the following example:

    $unsafe_variable = $_POST['user_input'];

    mysql_query("INSERT INTO table (column) VALUES ('" . $unsafe_variable . "')");

    That's because the user can input something like value'); DROP TABLE table;--, making the query:

    INSERT INTO table (column) VALUES('value'); DROP TABLE table;--')

    What should one do to prevent this?
     
  2. Taz

    Taz
    uix_expand uix_collapse
    New Member

    Joined:
    Dec 20, 2010
    Messages:
    21
    Likes Received:
    0
    But how would one upload this to the desire site that they want to attack?
     
  3. GeekGhost

    GeekGhost
    uix_expand uix_collapse
    Member

    Joined:
    Oct 5, 2012
    Messages:
    217
    Likes Received:
    96
    If the server has mod_security installed with a good rule set, it should prevent many of these types of attacks. If you are on shared hosting you'll need to ask your host if they use it.
     
    • Like Like x 1

Share This Page