I developed a page in PHP for internal use of the company I work with and only very few people use it. You can use this page to do some queries, insertions, changes and deletions of a table in a MySQL database, however I believe that my PHP code is not protected against SQL injection, for example:
//----CONSULTA SQL----//
$busca = mysql_query ('insert into Produtos (coluna) values(' . $valor . ')');
So let's say the user uses the statement: 1); DROP TABLE Produtos;
to the valor
field the command would look like:
insert into Produtos (coluna) values(1); DROP TABLE Produtos;
It will insert a new record whose field coluna
will be 1
and soon it will delete the Products table.
How can I improve my code to prevent this situation?