SQL Injection

SQL Injections are the act of injecting arbitrary SQL code into a query tricking the application into doing something unintended. This means an attacker could gain administrator privileges without a password or even delete records.

To prevent SQL Injection's you must check and sanitize any user input. If a text field is supposed to contain numbers make sure the user data is actually a number.

if(!is_numeric($_POST['number'])) die('Please choose a number.');

Sanitizing data before inserting it into a database means escaping any characters that may trick the query. Using addslashes() is helpful but might not be enough. For MYSQL using the mysql_real_escape_string() function makes user data safe.

$sql="SELECT * FROM users WHERE username='$username' AND password='$password'";