I developed a page in PHP for internal use of the company I work with and only very few people use it. You can use this page to do some queries, insertions, changes and deletions of a table in a MySQL database, however I believe that my PHP code is not protected against SQL injection, for example:
//----CONSULTA SQL----// $busca = mysql_query ('insert into Produtos (coluna) values(' . $valor . ')');
So let's say the user uses the statement:
1); DROP TABLE Produtos; to the
valor field the command would look like:
insert into Produtos (coluna) values(1); DROP TABLE Produtos;
It will insert a new record whose field
coluna will be
1 and soon it will delete the Products table.
How can I improve my code to prevent this situation?