PHP best practices - The dos and don'ts

The issue: Using userdata in queries often causes users manipulating queries.


<?php
$sql = 'SELECT password FROM user WHERE login = ' . $_GET['login'];
?>

Request: http://example.com/tests/simple.php?login=username+OR+1

The solution: Use databases extensions escape functions


<?php
$sql = 'SELECT password FROM user WHERE login = ' . 
       mysql_real_escape_string( $_GET['login'] );
?>

Hint: Even better use prepared statements


<?php
$db = new PDO( ... );
$stmt = $db->prepare( 'SELECT password FROM user WHERE login = ?' );
$stmt->execute( array( $_GET['login'] ) );
?>