How to block SQL injection for this query?

Question

now i have this form post script

  <?
   if(isset($_POST['baslik'])) {
$sql = "INSERT INTO yazilar (baslik, spot, spot_kisa, spot_resim, spot_resim_isim, icerik, kategori, tiklanma, eklemetarihi)
VALUES
('$_POST[baslik]','$_POST[spot]','$_POST[spot_kisa]','$_POST[spot_resim]','$_POST[spot_resim_isim]','$_POST[icerik]','$_POST[kategori]','$_POST[tiklanma]','$_POST[tarih]')";
$sonuc = mysql_query($sql) or die(mysql_error());
  if ($sonuc) {
    echo ("<p class='msg done'>Yeni icerik basarili bir sekilde eklendi.</p>");
    exit;
  } 
  else {
    $error = "<p class='msg warning'>Ekleme basarisiz oldu.</p>";  
  }
}
         ?>

how can i ignore sql injections for this query?

dup: http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php — Rubens Farias, Jan 13 '10 at 09:48

score 8 · Answer 1 · answered Jan 13 '10 at 09:45

Use parametrised queries. Unfortunately these are not supported by the mysql extension in PHP 4, but if you are using PHP 5, you can use the mysqli extension or PDO instead, where they are.

See http://www.php.net/manual/en/mysqli.prepare.php for an example of how this is done.

score 1 · Accepted Answer · answered Jan 13 '10 at 09:50

Using parametrised queries as jammycackes suggests is the way to go, but if you for some reason cannot use them then you can use the mysql-real-escape-string function to block most (all?) dangerous values. The problem is that you must use it on every received value, so you cannot use the shorthand notion you use in your example.

How to block SQL injection for this query?

2 Answers2