Find solution
How to prevent an SQL injection in PHP?

How do i prevent sql injection attacks with php and mysql?

  • Answer:

    Use the mysql_real_escape_string() function of PHP and always test user input to ensure it's valid. Lots of good links on the Wikipedia article below.

aksh at Yahoo! Answers Visit the source

Was this solution helpful to you?

Other answers

It goes further than just making sure that you have a mysql_real_escape_string() in place. Try this: [PHP] function prepareInsert($value) { // Stripslashes if ( get_magic_quotes_gpc() ) { $value = stripslashes( $value ); } // Quote if not a number or a numeric string if ( !is_numeric( $value ) ) { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value; } [/PHP] This should be called such as: [PHP] $insert_sql = mysql_query("INSERT INTO table VALUES(NULL," . prepareInsert($_POST['field']) . ")"); [/PHP] It will automatically check to see if it's a number and if not place the quotes in there for you. Just simplifies things. Another thing is when you are calling this value please use htmlentities() it works perfectly. Best of luck, Chad R. Smith

Helpful Chad

Also search for "1 = 1" and make sure you don't use it in your queries, since that string is a sure indicator that somebody is probing your forms for SQL injection vulnerabilities.

veraperezp

Related Q & A:

Just Added Q & A:

Find solution

For every problem there is a solution! Proved by Solucija.

  • Got an issue and looking for advice?

  • Ask Solucija to search every corner of the Web for help.

  • Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.