Mudsaf Posted August 27, 2013 Share Posted August 27, 2013 Hello, I've learned MySQL mostly and lately I've tried to change to MySQLi. I'm wondering how to insert data to database with preventing SQL injections? On MySQL i used stipslashes + mysql_real_escape_string Lets say if i have $_POST['uname'] and $_POST['upass'], which is best method to prevent SQL injections?mysqli_real_escape_string or prepared query? If prepared query could somebody show me example? Link to comment Share on other sites More sharing options...
Ingolme Posted August 27, 2013 Share Posted August 27, 2013 Technically there's no security difference between mysqli_real_escape_string and prepared statements, but prepared statements ensure that you don't forget to escape a particular string leading to a potential security problem. Link to comment Share on other sites More sharing options...
Mudsaf Posted August 27, 2013 Author Share Posted August 27, 2013 Technically there's no security difference between mysqli_real_escape_string and prepared statements, but prepared statements ensure that you don't forget to escape a particular string leading to a potential security problem. Thanks for info, could you show me example of prepared mysqli_query with couple of $_POST elements? Link to comment Share on other sites More sharing options...
Ingolme Posted August 27, 2013 Share Posted August 27, 2013 There are examples here: http://es1.php.net/mysqli_prepare http://es1.php.net/manual/en/mysqli-stmt.execute.php Here's the example from the PHP manual, edited to show where you could put $_POST variables. <?php$mysqli = new mysqli("localhost", "my_user", "my_password", "world");/* check connection */if (mysqli_connect_errno()) { printf("Connect failed: %sn", mysqli_connect_error()); exit();}$mysqli->query("CREATE TABLE myCity LIKE City");/* Prepare an insert statement */$query = "INSERT INTO myCity (Name, CountryCode, District) VALUES (?,?,?)";$stmt = $mysqli->prepare($query);$stmt->bind_param("sss", $val1, $val2, $val3);$val1 = $_POST['city_name1'];$val2 = $_POST['country_code1'];$val3 = $_POST['district1'];/* Execute the statement */$stmt->execute();$val1 = $_POST['city_name2'];$val2 = $_POST['country_code2'];$val3 = $_POST['district2'];/* Execute the statement */$stmt->execute();/* close statement */$stmt->close();/* retrieve all rows from myCity */$query = "SELECT Name, CountryCode, District FROM myCity";if ($result = $mysqli->query($query)) { while ($row = $result->fetch_row()) { printf("%s (%s,%s)n", $row[0], $row[1], $row[2]); } /* free result set */ $result->close();}/* remove table */$mysqli->query("DROP TABLE myCity");/* close connection */$mysqli->close();?> 1 Link to comment Share on other sites More sharing options...
Mudsaf Posted August 27, 2013 Author Share Posted August 27, 2013 Thanks alot Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now