I wonder what is the best way to prevent injection against user input. There are a lot of examples but one say "magic_quotes_gpc" is good but removed from PHP soon. Therefore, no point of using it. Another says "mysql_real_escape_string and addslashes" just used to clean iptuts. Etc etc.
I am confused what to realy use. Can anyone make code below best practice plase.
Thanks in advance
<?php $uid=$_POST["username"]; $psw=$_POST["password"]; $query="SELECT * FROM mytable WHERE uid='$uid' AND psw=sha1('$psw')"; $runit=mysql_query($query); ?>
Edited 3 Years Ago by mike_2000_17: Fixed formatting