First page Back Continue Last page Overview Graphics
Avoiding SQL injection
Easiest method is to use placeholders in query:
db_call(“SELECT id FROM users WHERE name=? AND pass=?”, $name, $pass)
If database API does not allow that, use db specific quote filter on user input:
db_quote($name)
db_quote($pass)
Depending on DBMS, stored procedures can also prevent SQL injection