How can I prevent SQL injection in PHP?« Back to Questions List

The application becomes vulnerable to SQL injection if the user input is inserted without modification into an SQL query like this: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')"); That's because the user can input something like value'); DROP TABLE table;--, and the query becomes: INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--') How can we prevent this?