Attacker modifies our SQL query By inputting characters like ' or \ to fields By using characters where we expect numbers (ID, offset) Again - not only security but also usability Access or modification of secured data Full control with some databases E.g. SQLite or PostgreSQL allows executing multiple queries in one function Prepared statements, variables binding Data is not intermingled with a query The query can't be modified by data Database escaping functions, %intval()% Beware %magic_quotes_gpc% Must be set or known with any approach Modify data on unsecured site Delete all data from SQLite database Cause syntax error on a page with wrong escaping http://php.vrana.cz/obrana-proti-sql-injection.php http://php.vrana.cz/vypnuti-magic_quotes_gpc.php