Jump to content

MySQLi prevent SQL injections


Mudsaf

Recommended Posts

Hello, I've learned MySQL mostly and lately I've tried to change to MySQLi. I'm wondering how to insert data to database with preventing SQL injections?

 

On MySQL i used stipslashes + mysql_real_escape_string

Lets say if i have $_POST['uname'] and $_POST['upass'], which is best method to prevent SQL injections?mysqli_real_escape_string or prepared query? If prepared query could somebody show me example?

Link to comment
Share on other sites

Technically there's no security difference between mysqli_real_escape_string and prepared statements, but prepared statements ensure that you don't forget to escape a particular string leading to a potential security problem.

Link to comment
Share on other sites

Technically there's no security difference between mysqli_real_escape_string and prepared statements, but prepared statements ensure that you don't forget to escape a particular string leading to a potential security problem.

 

Thanks for info, could you show me example of prepared mysqli_query with couple of $_POST elements? :)

Link to comment
Share on other sites

There are examples here:

http://es1.php.net/mysqli_prepare

http://es1.php.net/manual/en/mysqli-stmt.execute.php

 

Here's the example from the PHP manual, edited to show where you could put $_POST variables.

<?php$mysqli = new mysqli("localhost", "my_user", "my_password", "world");/* check connection */if (mysqli_connect_errno()) {    printf("Connect failed: %sn", mysqli_connect_error());    exit();}$mysqli->query("CREATE TABLE myCity LIKE City");/* Prepare an insert statement */$query = "INSERT INTO myCity (Name, CountryCode, District) VALUES (?,?,?)";$stmt = $mysqli->prepare($query);$stmt->bind_param("sss", $val1, $val2, $val3);$val1 = $_POST['city_name1'];$val2 = $_POST['country_code1'];$val3 = $_POST['district1'];/* Execute the statement */$stmt->execute();$val1 = $_POST['city_name2'];$val2 = $_POST['country_code2'];$val3 = $_POST['district2'];/* Execute the statement */$stmt->execute();/* close statement */$stmt->close();/* retrieve all rows from myCity */$query = "SELECT Name, CountryCode, District FROM myCity";if ($result = $mysqli->query($query)) {    while ($row = $result->fetch_row()) {        printf("%s (%s,%s)n", $row[0], $row[1], $row[2]);    }    /* free result set */    $result->close();}/* remove table */$mysqli->query("DROP TABLE myCity");/* close connection */$mysqli->close();?>
  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...