If user input is inserted without modification into an SQL query, then the application becomes vulnerable to\u00a0SQL injection, like in the following example:<\/p>\n

$unsafe_variable<\/span> = $_POST<\/span>['user_input'<\/span>]; \r\n\r\nmysql_query(\"INSERT INTO `table` (`column`) VALUES ('$unsafe_variable<\/span>')\"<\/span>);\r\n<\/code><\/pre>\n
That’s because the user can input something like\u00a0value'); DROP TABLE table;--<\/code>, and the query becomes:<\/p>\n
INSERT<\/span> INTO<\/span> `table<\/span>` (`column<\/span>`) VALUES<\/span>('value'<\/span>); DROP<\/span> TABLE<\/span> table<\/span>;--')<\/span>\r\n<\/code><\/pre>\n
What can be done to prevent this from happening ?<\/p>\n
 <\/p>\n
Solution 1<\/strong><\/p>\n
You basically have two options to achieve this:<\/p>\n
\n
Using\u00a0PDO<\/strong>\u00a0(for any supported database driver):<\/li>\n<\/ol>\n
$stmt<\/span> = $pdo<\/span>->prepare('SELECT * FROM employees WHERE name = :name'<\/span>);\r\n\r\n $stmt<\/span>->execute([ 'name'<\/span> => $name<\/span> ]);\r\n\r\n foreach<\/span> ($stmt<\/span> as<\/span> $row<\/span>) {\r\n     \/\/ Do something with $row<\/span>\r\n }<\/code>\r\n\r\n\r\n2. Using MySQLi<\/strong>\u00a0(for MySQL):\r\n\r\n<\/pre>\n
$stmt<\/span> = $dbConnection<\/span>->prepare('SELECT * FROM employees WHERE name = ?'<\/span>);\r\n $stmt<\/span>->bind_param('s'<\/span>, $name<\/span>); \/\/ 's' specifies the variable type => 'string'<\/span>\r\n\r\n $stmt<\/span>->execute();\r\n\r\n $result<\/span> = $stmt<\/span>->get_result();\r\n while<\/span> ($row<\/span> = $result<\/span>->fetch_assoc()) {\r\n     \/\/ Do something with $row<\/span>\r\n }<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
If user input is inserted without modification into an SQL query, then the application becomes vulnerable to\u00a0SQL injection, like in the following example: $unsafe_variable = $_POST[‘user_input’]; mysql_query(“INSERT INTO `table` (`column`) VALUES (‘$unsafe_variable’)”); That’s because the user can input something like\u00a0value’); DROP TABLE table;–, and the query becomes: INSERT INTO `table` (`column`) VALUES(‘value’); DROP TABLE table;–‘) […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"passster_activate_protection":false,"passster_protect_child_pages":"","passster_protection_type":"password","passster_password":"","passster_activate_overwrite_defaults":"","passster_headline":"","passster_instruction":"","passster_placeholder":"","passster_button":"","passster_id":"","passster_activate_misc_settings":"","passster_redirect_url":"","passster_hide":"no","passster_area_shortcode":"","gtb_hide_title":false,"gtb_wrap_title":false,"gtb_class_title":"","gtb_remove_headerfooter":false,"footnotes":""},"categories":[16540],"tags":[],"class_list":["post-3892","post","type-post","status-publish","format-standard","hentry","category-cyber-security"],"yoast_head":"\n