Malicious SQL Injection is a tactic used by hackers to try to insert “control characters” into queries issued over the Internet in an attempt to gain control over the database and issue commands to it. Using parameterization syntax can prevent hacker injection attacks on valuable web sites or other databases.
To use the parameterized query, you need to use MySQLi rather than the MySQL functions. For example:
The key function that facilitates the parameterization of your SQL statment is
PDO is another option for parameterizing your queries to make them secure. Using PDO, the MySQLi example above can be re-written as:
A less elegant approach to hack proofing your SQL statements is to use the mysql_real_escape_string function to remove unwanted characters from your input variables: