added 1 character in body; edited title

Source Link

edited Oct 1, 2016 at 8:08

222.9k
55
483
489

How can I prevent SQL-injection injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection SQL injection, like in the following example:

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");

That's because the user can input something like value'); DROP TABLE table;--, and the query becomes:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

What can be done to prevent this from happening?

How can I prevent SQL-injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example:

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");

That's because the user can input something like value'); DROP TABLE table;--, and the query becomes:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

What can be done to prevent this from happening?

How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example:

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");

That's because the user can input something like value'); DROP TABLE table;--, and the query becomes:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

What can be done to prevent this from happening?

Post Locked by Robert Harvey

occurred May 20, 2014 at 21:30

Notice added Wiki Answer by Robert Harvey

occurred May 20, 2014 at 21:30

This question was first posed to address PHP specifically, and the answers reflect that. **This is not a canonical answer for any language.** Add PHP back in...

Link

edited May 14, 2014 at 22:53

user456814

How can I prevent SQL injection-injection in PHP?

Removed horizontal scrollbars, it's distracting.

Source Link

edited May 14, 2014 at 22:41

user456814

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example:

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO `table` (`column`) VALUES ('" . $unsafe_variable . "''$unsafe_variable')");

That's because the user can input something like value'); DROP TABLE table;--, and the query becomes:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

What can be done to prevent this from happening?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example:

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO `table` (`column`) VALUES ('" . $unsafe_variable . "')");

That's because the user can input something like value'); DROP TABLE table;--, and the query becomes:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

What can be done to prevent this from happening?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example:

$unsafe_variable = $_POST['user_input']; 

mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");

That's because the user can input something like value'); DROP TABLE table;--, and the query becomes:

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

What can be done to prevent this from happening?

Removed tag from title.

Link

edited May 11, 2014 at 17:03

axwcode

7.8k
7
31
41

Loading

Removed literal ** from code block since not interpreted as markdown inside code block.

Source Link

edited Apr 8, 2014 at 1:01

toxalot

11.6k
6
38
59

Loading

Added grave accent's to query's

Source Link

edited Apr 6, 2014 at 22:06

Companjo

1.8k
19
24

Loading

Rollback to Revision 38

Source Link

edited Jan 26, 2014 at 18:27

Josh Crozier

238.8k
56
399
312

Loading

Added more explanation.

Source Link

edited Jan 17, 2014 at 6:40

Madurai

297
3
16

Loading

Rollback to Revision 36

Link

edited Jan 16, 2014 at 21:19

Your Common Sense

157.6k
42
220
354

Loading

Removed mysql tag

Link

edited Jan 16, 2014 at 4:44

Sajad Karuthedath

15.4k
4
33
49

Loading

Replaced sentence with a more appropriate version.

Source Link

edited Dec 21, 2013 at 6:27

Andrew

3.6k
4
27
45

Loading

added 12 characters in body

Source Link

edited Dec 17, 2013 at 21:16

Chris Cooper

17.4k
10
54
70

Loading

added 1 characters in body

Source Link

edited Dec 16, 2013 at 14:48

sybear

7.8k
1
23
38

Loading

deleted 54 characters in body

Source Link

edited Dec 16, 2013 at 14:01

tckmn

58.8k
27
116
156

Loading

added 4 characters in body

Source Link

edited Dec 16, 2013 at 13:32

Chris Seymour

85k
31
164
206

Loading

deleted 2 characters in body

Source Link

edited Dec 16, 2013 at 11:35

웃웃웃웃웃

11.9k
15
62
92

Loading

Edited with code tags

Source Link

edited Oct 31, 2013 at 10:07

Joran Den Houting

3.2k
4
22
51

Loading

added 2 characters in body

Source Link

edited Sep 18, 2013 at 8:27

j0k

22.7k
28
80
90

Loading

changed back to mysql_* changing it to mysqli_* does NOTHING....

Source Link

edited Aug 26, 2013 at 14:23

Naftali

145.9k
40
246
304

Loading

edited tags

Link

edited Aug 18, 2013 at 12:24

user823738

17.3k
8
53
78

Loading

edited title

Link

edited Aug 6, 2013 at 13:44

yoozer8

7.5k
7
61
96

Loading

Changed mysql to mysqli

Source Link

edited Jul 17, 2013 at 15:04

pattyd

6.1k
11
39
57

Loading

rollback to 18

Link

edit approved Jun 20, 2013 at 4:27

chenjian

1
2

Loading

Collectives™ on Stack Overflow

Return to Question

How can I prevent SQL-injection injection in PHP?

How can I prevent SQL-injection in PHP?

How can I prevent SQL injection in PHP?

How can I prevent SQL injection-injection in PHP?