This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
How can I with mysqli make a query with LIKE and get all results?
(2 answers)
Closed 2 years ago.
I have created a PHP and SQLi based search system. It is very basic and works how all of the ones I have found have. I just have one question. Can a very mean and angry person SQL inject my search system. The search is submitted through an HTML form in POST.
Search System Code
...
require 'includes/dbh.inc.php';
$search = $_POST['search'];
$mysqli = $conn;
$query = "SELECT * FROM listings WHERE listing_name LIKE '%".$search."%'";
echo '<b> <center class="listingstitle">Listings</center> </b> <br> <br>';
if ($result = $mysqli->query($query) and mysqli_num_rows($result) > 0) {
while ($row = $result->fetch_assoc()) {
$price = $row["listing_price"];
$name = $row["listing_name"];
$seller = $row["listing_seller"];
$picture = $row["listing_picture"];
...
Related
This question already has answers here:
'fetch' in PDO gets only one result [duplicate]
(6 answers)
PDO::FETCH_ASSOC not fetching everything
(1 answer)
Reference - What does this error mean in PHP?
(38 answers)
Closed 5 years ago.
I have database with five projects added by username. When I want to get project by user returns me only one project.
<?php
require_once("db.php");
$db = DB();
$query = $db->prepare("SELECT * FROM projects WHERE username='$username'");
$query->execute();
$row = $query->fetch();
$name = $row['name'];
$project = $row['project'];
echo "<p>Project name: $name</p>
<p>Project: $project</p>
?>
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
here my code called data.php
<?php
sql = db->query('SELECT* FROM tb_karyawan order by kar_id desc');
while($data = $sql->fetch(PDO::FETCH_ASSOC)){
} ?>
nilai.php?hal=tambah&kd=
and my nilai.php
<?php
$sql = $db->query('SELECT * FROM tb_karyawan WHERE kar_id=$_GET["kar_id"]) .');
$data = $sql->fetch(PDO::FETCH_ASSOC);
?>
how to get kar_id from previous page to next page by $_GET METHOD using PDO i am new for PDO
THANKS
<?php
while($data = $sql->fetch(PDO::FETCH_ASSOC)){ ?>
Link
<?php }
?>
nilai.php:
$kar_id = $_GET["kar_id"];
$sql = $db->prepare('SELECT * FROM tb_karyawan WHERE kar_id=:kar_id');
$sql->bindValue(':kar_id', $kar_id , PDO::PARAM_INT);
$sql->execute();
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 7 years ago.
I recently have made a search engine using an html form , php and mysqli. What it does is whatever terms i put in the form it searches that in my mysql database and echos it back on my html page. So far its working as I wanted. However I have seen people warn for Mysql injection attacks on the tutorial i made this engine from so can anyone please check my code below and give me an advice.
<?php
$k = mysqli_real_escape_string($_GET['k']);
$terms = mysqli_real_escape_string(explode(" ", $k));
$query = "SELECT * FROM xaplinks WHERE ";
$i = 0;
foreach ($terms as $each) {
$i++;
if ($i == 1) {
$query .= "xap_name LIKE '%$each%'"; }
else {
$query .= "OR xap_name LIKE '%$each%'"; }
}
$con = mysqli_connect('mysql.hostinger.in','steve','password', 'win');
$query = mysqli_real_escape_string(mysqli_query($con, $query));
$numrows = mysqli_num_rows($query);
if ($numrows > 0) {
while ($row = mysqli_fetch_assoc($query)) {
$name = $row['xap_name'];
$link = $row['xap_link'];
echo "<a href='$link'>$name</a></br>";
}
}
else {
echo "No results found. :( ";
}
mysqli_close($con);
?>
I read online that escape string in mysqli can help prevent injection so ive used it but not sure if its properly implemented. Im very new to mysqli.
Any help / tip would be appreciated , Thanks in advance. :)
Use the PDO class instead of the mysqli class. Further, use prepared statements.
You can create a prepared statement using mysqli->prepare
Should solve your problem.
$queryPrepared = mysqli->prepare($query)
See more here.
PHP MySQLI Prevent SQL Injection
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
Given this code:
mysqli_set_charset('utf8');
$id = mysqli_real_escape_string($_GET['id']);
$result = mysqli_query($con,"SELECT * FROM post WHERE id_post = '$id'");
if (mysqli_num_rows($result) == 0) {
header('Location: 404.php');
die();
} else {
// Continue...
}
And this:
$id = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT);
// New PDO...
$Ps = $Pdo->prepare('SELECT * FROM post WHERE id_post = :id');
$Ps->execute(array(':id', $id));
if ($Ps->rowCount() == 0) {
header('Location: 404.php');
die();
} else {
// Continue...
}
Is there a best option to prevent SQL Injection or the are equivalent?
Second option is the way to go. Using mysql_real_escape_string() leaves open some space for sql injection using some exotic multibyte character. Ref: SQL injection that gets around mysql_real_escape_string()
Alternatively you can use prepared statment with mysqli
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to prevent SQL Injection in PHP
Is this code secure since i am using mysql_real_escape_string and strip_tags
Is there any need to change to pdo ?
I am not able to convert the following code to pdo because its displaying cannot modify header .
<?php
include('config.php');
$link =mysql_connect($db_host,$username,$password);
mysql_select_db($db_name);
$id= $_POST["uniqi"];
$comments= $_POST["comments"];
$comments= mysql_real_escape_string($comments);
$comments = strip_tags($comments);
$update = "UPDATE mastertable SET comments = '$comments' WHERE id_pk= '$id'";
mysql_query($update, $link);
mysql_close();
header('Location: http://www.xxxx.com/xxxxx/xxxx.php?cntmsg=Comment Updated');
?>
This is not safe code - your $id variable is not processed by your code.
$id= $_POST["uniqi"];
$id= mysql_real_escape_string($id);
$id = strip_tags($id);