How to prevent SQL injection in PHP?

use a php function name 'mysql_real_escape_string()' but this function will be deprecated in5.5.0 version of php.
but you can use MySQLi or PDO_MySQL for prevent the sql injection in php.

Use parameterized queries

If you maintaining a server, I would suggest you can hardened your PHP by using suhosin extensions in the project.
By default, FreeBSD is using this technology in PHP.
You can find the information on www.hardened-php.net I hope this help you

There are basically two main methods to prevent sql injection attacks. 

 

Make a function like this

 

<?php

function BlockSQLInjection($str)

{

return str_replace(array(“‘”,”””,”‘”,'”‘),array(“‘”,”&quot;”‘”,”&quot;”,$str));

}

?>

str_replace() function will replace all characters in the string

Another method is to use prepared statement to execute sql queries.

You can also prevent php sql injection attacks by removing unused stored procedures.

You can use prepared statements.
These are sql statements that are parsed by the database server separate from the parameters so if one sends in some injected parameter value, then its effect is handled during parsing.

MYSQLi : Use mysql_real_escape_string($unsafe_variable); PDO :Use prepared statements and parameterized queries

using PDO $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name'); $stmt->execute(array(':name' => $name)); foreach ($stmt as $row) { // do something with $row }