PHP Security - Avoid SQL Injection and XSS Attacks
Tuesday, October 28th, 2008
If using $_GET or $_POST variables in an mysql query, clean them with mysql_real_escape_string.
When displaying user submitted content from the database, apply htmlentities before it is displayed.
SQL Injection - mysql_real_escape_string()
Using mysql_real_escape_string stops malicious inputs breaking SQL queries. The quote ‘ is a reserved character in SQL. When it appears as part of a parameter [...]