I have a problem. I mad an software application and everything is running perfectly, however i found out that it is unsafe to use because i didnt prevent SQL-Injections. I googled a bit and found that you could you mysql_real_escape_string. However if i add this around a variable in my php file the whole php file will stop working properly. Does anybody know how to fix this?
Here is a example php-file that i am using:
<?php
$server = "";
$username = "";
$password = "";
$database = "";
$con = mysql_connect($server, $username, $password) or die ("Could not connect: " . mysql_error());
mysql_select_db($database, $con);
$id = $_GET['id'];
$sitze = $_GET['sitze'];
$farbe = $_GET['farbe'];
$kennzeichen = $_GET['kennzeichen'];
$automarke =$_GET['automarke'];
$rauchen = $_GET["rauchen"];
$essen = $_GET["essen"];
$trinken = $_GET["trinken"];
//Insert Fahrten
$sql = "INSERT INTO fahrzeuge (sitzplaetze, farbe, kennzeichen, automarke, rauchen, essen, trinken, user_user_id) VALUES ('$sitze','$farbe','$kennzeichen','$automarke','$rauchen','$essen','$trinken','$id')";
if (mysql_query($sql) === TRUE) {
$records[] = "success";
$idfahrt= mysql_insert_id();
$records[] = $idfahrt;
} else {
$records[] = "Es ist ein Fehler aufgetreten!!";
}
//end Insert Fahrten
mysql_close($con);
echo $_GET['jsoncallback'] . '(' . json_encode($records) . ');';
?>