Protecting PHP against SQL Injection
How do I protect my PHP code from SQL Injection?
The following article explains how to protect your PHP code from a SQL Injection. The recent injection attacks that have been seen against PHP coded sites takes advantage of vulnerabilities in improperly coded sites. These attacks can be mitigated by simply running any user input that can come in contact with the database through a sanitization process. PHP has a built in function called mysql_real_escape_string. This function will escape any special characters in a string, preventing them from being used as a potential attack.
To protect your PHP code, use this function anytime you need to use a variable.
$variable_name = mysql_real_escape_string($variable_name);
The above example will take an existing variable, typically generated from a form field, and apply the function to the contents of the variable.