SQL Injection is a hack that manages to play with our database through forms. Let's say the hacker tricks the forms so that they execute unexpected actions in our database. With this method, you can delete our database completely, assign administrator rights to a certain user or remove access to our own website. Also, if our page is a store, the hacker could have access to addresses and bank accounts, something really dangerous.
There are many ingenious ways to avoid the dreaded SQL Injection, however there is one foolproof method so far. This is a relatively new PHP function that extracts from a text string any function that exists in MYSQL, that is, before sending the form data to the database, it checks that there is no MYSQL function in that data, which makes this foolproof function for the moment.
The function to use is:
mysql_real_escape_string();
To use it, simply insert the text string to be analyzed inside the parenthesis. For example: uterine
$_POST['usuario']=mysql_real_escape_string($_POST['usuario']); $_POST['nombre']=mysql_real_escape_string($_POST['nombre']); $_POST['apellido']=mysql_real_escape_string($_POST['apellido']); $_POST['email']=mysql_real_escape_string($_POST['email']);
Learn more | Zebra Form: Special PHP library for forms