If the user submits a form and the values are being used in the SQL query without modifications, then it is open for SQL injections. For example:
$value = $_POST['input_value']; mysql_query("INSERT INTO `table` (`column`) VALUES ('$value')");
That’s because the user can input something anything like value’); DROP TABLE table;--, and the query becomes:
INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')
How is it possible to prevent this from the injection?
This is a standard SQL attack and is really easy to prevent, and there are many methods to prevent these attacks. One is using prepaid statements:
In a prepaid statement, the query and values are taken. Differently, this is how you will write a prepaid statement:
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)"); $stmt->bind_param("sss", $firstname, $lastname, $email); $firstname = "John"; $lastname = "Doe"; $email = "[email protected]"; $stmt->execute();
- 1How can I sanitize user input with PHP?
- 1select statman sql server.
- 1How can i write update query in SQL
- 1how to write delete query in sql
- 1How to write insert query in SQL
- 1PHP Switch Statements with 2 Variables at a time
- 1SQL Transaction
- 1How to change PHP CLI and Apache versions on Ubuntu
- 1How do I retrieve all 60 years old above using birth_date in PHP PDO?
- 2PHP redirect function