How to protect this form from SQL injections [duplicate]

This question already has answers here: Closed 11 years ago.

Possible Duplicate:

Editing MySQL recode using a HTML form

Like to know how to validate the inputs of this submit form. by validate i meant keep it safe from SQL injections. Any help will be really appreciated. thank you.

<?php

session_start();
if(!session_is_regist开发者_开发知识库ered(ausername)){
header("location:main_login.php");
}
include ("header.php");
include ("../db.php");

$catname = $_POST['catname'];
$catdisc = $_POST['catdisc'];

$id = $_GET['id'];
        if (isset($id))
        {
$query = "SELECT * FROM categories WHERE catid='$id'";
$result= mysql_query($query) or die ('Mysql Error');

}
//Get category name and discription
while($row = mysql_fetch_array($result)){
$cname = $row['catname'];
$cdisc = $row['catdisc'];
}
?>

<?php

$result= mysql_query ("UPDATE categories SET catname='$catname', catdisc='$catdisc' WHERE catid='$id'")
or die ('Error Updating'); 

?>

<h1>Edit Categories</h1>

<form method="post" action="../admin/edit_cat.php?id=<?php echo $id;?>">
Category Name: <input type="text" name="catname" value="<?php echo $cname;?>"><br/>
Category Discription: <TEXTAREA NAME="catdisc"ROWS="3" COLS="25"><?php echo $cdisc;?></TEXTAREA><br/><br/>
<input type="submit" value="Update Category"/>
</form>

<?php
include ("footer.php");
?>

---

strings (have to be in single/double quotes in query!) -> mysql_real_escape_string();

integers (could be without quotes) -> intval();

$catname = mysql_real_escape_string($_POST['catname']);
$catdisc = mysql_real_escape_string($_POST['catdisc']);
$id = intval($_GET['id']);

$result= mysql_query ("UPDATE categories SET catname='$catname', catdisc='$catdisc' WHERE catid=$id")

---

Add mysql_real_escape_string calls for all your query variables, see http://php.net/manual/en/function.mysql-real-escape-string.php

---

See 'Avoidance Techniques' from the PHP SQL Injection docs.

---

Use a database library the uses placeholders. Better API, and it takes care of SQL injection for free.

For example, see prepare and execute in MDB2

---

Use prepared statements whenever handling values that users can change: http://us2.php.net/manual/en/pdo.prepare.php

They make SQL injection impossible.