This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 3 years ago.
If I input acesr'ss as categoryname in my POST-Request, it will insert only acesr into my database. I can't figure out why.
Relevant code snippet:
$cate_name=mysqli_real_escape_string($conn,$_POST['categoryname']);
$usersql="Insert INTO abc(category_name) VALUES('".$cate_name."')";
I also tried addslashes, but get the same problem.
Can you try to insert using parameterised sql query.this will prevent sql injection
$dmessage = html_entity_decode ($cate_name, ENT_QUOTES | ENT_XML1, 'UTF-8') ;
$createSql = $db->prepare(" INSERT INTO abc(category_name) VALUES(:cate_name)" );
$createSql->execute(array(
":cate_name" => trim($cate_name)
));
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 4 years ago.
A team I work with has a habit of escaping IDs and integers in SQL like this:
$var = $var + 0;
$sql = "SELECT * FROM whatever WHERE id = $var";
Is this an acceptable way to prevent SQL injection in PHP, or is it vulnerable?
No its not a preventive way. Use PHP PDO. Read this:
https://www.w3schools.com/php/php_mysql_connect.asp
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
$type_of_poker = "hold'em no limit";
$sql = "INSERT INTO hands (type_of_poker) VALUES ('$type_of_poker')";
Im trying to put hold'em no limit into a SQL database but it won't let me
use ' i cant upload holdem no limit for a long list resones that have to do
with the rest of my code.
Instead of trying to escape the apostrophe, it is much better practice to use prepared statements and binded parameters which will also solve your problem. It solves your problem because you then don't need to escape the apostrophe ('):
$type_of_poker = "hold'em no limit";
//binding the parameters to your sql statement
$sql = "INSERT INTO hands (type_of_poker) VALUES (:type_of_poker)";
$stmt = $conn->prepare($sql);
$stmt->bindParam(':type_of_poker',$type_of_poker);
$stmt->execute();
Let me know if that worked for you! :)
This question already has answers here:
SQL injection that gets around mysql_real_escape_string()
(4 answers)
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
I'm not familiar with sql injection and I wanna know if there is any invulnerability in my script, if there is please point it out and give me some tip to fix it.
<?php
include("config.php");
?>
<?php
$desc = $_POST['desc'];
$desc = mysql_real_escape_string($desc);
$author = $_POST['author'];
$date = date("d/M/Y");
mysql_query("INSERT INTO `changelog`(`author`, `date`, `description`) VALUES ('{$author}','{$date}','$desc')") or die(mysql_error());
include("success.php");
?>
Yes there is. You are solely relying on mysql_real_escape_string which has been deprecated. Furthermore you should build some of your own logic tests based on a range of input that you are expecting. You might want to use RegExp or some other trimming functions but don't rely just on mysql_real_escape_string.
You should write some logic to test the data you are expecting.
You can check out http://php.net/manual/en/security.database.sql-injection.php for more information on preventing SQL Injections.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 3 years ago.
For example I use
$building_name = $_POST['BuildingName'];
$metering_type = $_POST['MeteringType'];
$query = "INSERT INTO buildings (BuildingName, MeteringType)
VALUES ('$building_name', '$metering_type')";
if(mysqli_query($link, $query))
{
echo json_encode(Array("success"=>true));
}
And I believe that this prevents me from SQL injections. Am I safe?
No, that doesn't protect you in the slightest.
You need to use MySQLi's parameterized queries via prepare.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 2 years ago.
Which means, at the moment, are the safest for screening data in php to send them to the mysql database.
Thank, you )
I believe mysql_real_escape_string() mysqli_real_escape_string() is the best way to escape input data
Later edit since everything is deprecated now and information must be valid:
Try to use PDO as prepared statements are much safer or mysqli_*() functions if you really need to keep old code somewhat up-to-date.
Currently the most preferred way to insure your safety is prepared statements.
example:
$preparedStatement = $db->prepare('SELECT * FROM memebers WHERE username = :username');
$preparedStatement->execute(array(':username' => $username));
$rows = $preparedStatement->fetchAll();
then when displaying your data use htmlspecialchars()
validMySQL($var) {
$var=stripslashes($var);
$var=htmlentities($var);
$var=strip_tags($var);
$var=mysql_real_escape_string($var);
return $var
}
The above code helps to sanitize most invalid data, just remember that you've to be connected to mysql database for mysql_real_escape_string to work...