07-27-2023, 08:08 AM
If user input is inserted without modification into an SQL query, then the application becomes vulnerable to [SQL injection][1], like in the following example:
<!-- language: lang-php -->
$unsafe_variable = $_POST['user_input'];
mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");
That's because the user can input something like `value'); DROP TABLE table;--`, and the query becomes:
INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')
What can be done to prevent this from happening?
[1]:
<!-- language: lang-php -->
$unsafe_variable = $_POST['user_input'];
mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");
That's because the user can input something like `value'); DROP TABLE table;--`, and the query becomes:
INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')
What can be done to prevent this from happening?
[1]:
[To see links please register here]