Deny user mysql inject

Possible Duplicate:
How to prevent SQL injection in PHP?

If user input is inserted into an SQL query directly, the application becomes vulnerable to SQL injection, like in the following example:

$unsafe_variable = $_POST['user_input'];

mysql_query("INSERT INTO table (column) VALUES ('" . $unsafe_variable . "')");

That's because the user can input something like value'); DROP TABLE table;-- value'); DROP TABLE table;-- , making the query:

INSERT INTO table (column) VALUES('value'); DROP TABLE table;--')

What should one do to prevent this?

---

use mysql_real_escape_string($_POST['data']);

or i would suggest using PDO library instead

链接地址: http://www.djcxy.com/p/16804.html

上一篇: 我可以使用SQL注入执行多种查询的Web语言？

下一篇: 拒绝用户mysql注入