Avoiding SQL injection

• Easiest method is to use placeholders in query:

• • db_call(“SELECT id FROM users WHERE name=? AND pass=?”, $name, $pass)

• If database API does not allow that, use db specific quote filter on user input:

• • db_quote($name)
  • db_quote($pass)

• Depending on DBMS, stored procedures can also prevent SQL injection