SQL Injection
SQL Injection is something that should be taken seriously, as if you don't know what you are doing, you are very likely to get hacked, or maybe all your data deleted.
WikiPedia defines SQL Injection as:
Quote
SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
We don't want a Little Bobby Tables on our hands, which might DROP or DELETE everything in your tables, but how can you keep yourself safe?
You can keep yourself safe with sqlite_escape_string, which will escape anything needed, specially designed for SQLite. This function is super easy to use
$str = "Hello! Don't try to hack me!";
$str = sqlite_escape_string($str);
echo $str;
That would output: "Hello! Don''t try to hack me!", however, there are other ways of sanitizing your inputs (Not always as secure though), I always use this function that I have created, much like htmlspecialchars, although I like mine better
function clean($str) {
$replace = array(
'&' => '&',
'"' => '"',
"'" => ''',
'<' => '<',
'>' => '>'
);
$str = str_replace(array_keys($replace), array_values($replace), $str);
return $str;
}
If you used this function, it would out this for our string "Hello! Don't try to hack me!", "Hello! Don't try to hack me!", however, you would only see the ' if you view the source, otherwise, it would look just like '