The programme becomes vulnerable to SQL injection if user input is added to a SQL query without change, as in the example below:
$unsafe_variable = $_POST['user_input'];
mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");
This is due to the user's ability to input items like value'); DROP TABLE table;—, and the query becomes:
INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')
What steps may be taken to avoid this scenario?