How to solve SQL injection

How to solve SQL injection

To prevent SQL injection, check and make sure that user input shall be correct.

1. You shall never log on as database owner or superuser and try to connect to database as customized user so that the privileges should be very limited.
2. Then you shall examine that data type of given input is correct.  Input validating functions of PHP could be very different.  For example, those found in Character Type Functions and in Variable Functions i.e. ctype_digit() , is_numeric() respectively are the simplest functions while Perl Compatible Regular Expressions PCRE are one of the most complicated one.
3. If the numerical input is expected, you shall use the numeric representation of sprintf(), or settype() to change type silently and also verify the data using is_numeric().
4. You shall use the function of database-specific string escape e.g. sqlite_escape_string(), mysql_real_escape_string() etc. To count the supplied value of every non-numeric user which value would forward to database. If above mechanism of string escape cannot be used, then str_replace() functions and addslashes() might be the other practical tools subject to type of database.  As per first example shows that it is not enough to add quotes to query of static part which the adding would make the query vulnerable.
5. The specific database information, especially the schema, shall not be printed out. Check logging function, error handling and error reporting.
6. The cursors defined earlier and procedures stored could also be used to retrieve data access so that users do not need to access views or tables directly.

Lastly, mysql_real_escape_string function could be used and consequently the attempt of injection will be neutralized.