How can I prevent SQL-injection in PHP?

in #programming8 years ago (edited)

I dont want to be hacked into oblivion

From what I understand, passing raw user input into SQL queries makes me vulnerable, for example:

$scary_stuff = $_POST['user_input']; 
mysql_query("INSERT INTO `table` (`column`) VALUES ('$scary_stuff')");

That's because the user can input something like value'); DROP TABLE table;--, and the query becomes:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

What can be done to prevent this from happening?

Drawing on the programming gods of steem: @miohtama @romanskv @jl777 @grz @qkyrie @kkaos

8 years ago in #programming by
$0.00
    6 votes
    Reply 0
    Sort:  
  • Trending