Spunky Posted December 21, 2014 Share Posted December 21, 2014 Based on my reading here: http://www.w3schools.com/sql/sql_injection.asp I attempted to change: $query= "INSERT INTO houses (location) VALUES ('$location)";mysql_query($query) or die(mysql_error()); (which works) into this: $query= $dbh->prepare("INSERT INTO houses (location) VALUES (:loc)");$query->bindParam(':loc', $location);$query->execute();mysql_query($query) or die(mysql_error()); The code doesn't work. I am not sure if I translated correctly how to add "parameters" to the code to protect against SQL injection. Link to comment Share on other sites More sharing options...
Don E Posted December 21, 2014 Share Posted December 21, 2014 Try: $query= $dbh->prepare("INSERT INTO houses (location) VALUES (?)");$query->bind_param('s', $location);$query->execute(); Link to comment Share on other sites More sharing options...
Spunky Posted December 27, 2014 Author Share Posted December 27, 2014 Try: $query= $dbh->prepare("INSERT INTO houses (location) VALUES (?)");$query->bind_param('s', $location);$query->execute(); Not working either. Link to comment Share on other sites More sharing options...
Don E Posted December 27, 2014 Share Posted December 27, 2014 Are you getting any errors? Try adding this to your code after execute() to see if you get any output: echo $dbh->error; Link to comment Share on other sites More sharing options...
dsonesuk Posted December 28, 2014 Share Posted December 28, 2014 (edited) mysqli uses bind_param(), PDO uses bindParam(). Which connection setup are you using? PDO or mysqli http://www.w3schools.com/php/php_mysql_prepared_statements.asp Edited December 28, 2014 by dsonesuk Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now