If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example:
1 2 3 |
$unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')"); |
That’s because the user can input something like value'); DROP TABLE table;--
, and the query becomes:
INSERT INTO
table
(column
) VALUES(‘value’); DROP TABLE table;–‘)
What can be done to prevent this from happening? Continue reading “How can I prevent SQL-injection in PHP?”