Use prepared statements and parameterized queries. These are SQL statements that are sent to and analyzed by the database server distinctly from any parameters. This way it is not possible for an invader to insert malicious SQL. You basically have two options to achieve this: Using PDO (for any supported database driver): $stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name'); $stmt->execute(array('name' => $name)); foreach ($stmt as $row) { // Do something with $row } Using MySQLi (for MySQL): $stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?'); $stmt->bind_param('s', $name); // 's' specifies the variable type => 'string' $stmt->execute(); $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { // Do something with $row } If you're linking to a database other than MySQL, there is a driver-specific
This website is basically for the geeks all around the world..!! If you know it, the world should also..!! #ShArE_kNoWlEdGe.