This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 4 years ago.
I generate a mysql query via $_GET in PHP via concatenation assignment (.=).
take a look:
$sql='SELECT * FROM table WHERE ';
$sql.='ID='.$_GET['id'].'';
$query=$PDO->prepare($sql);
how can i prevent mysql injection?
i use bind values for direct queries but in this case,i don't have any idea how i should write my code to be safe enough.
note that i use PHP 7 and i can't use mysql_real_escape_string(); as it's not available in PHP7.
You could use something like the following:
<?php
$sql = $PDO->prepare("SELECT * FROM table WHERE ID=?");
if ($sql->execute(array($_GET['id']))) {
while ($row = $sql->fetch()) {
print_r($row);
}
}
?>
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 4 years ago.
A team I work with has a habit of escaping IDs and integers in SQL like this:
$var = $var + 0;
$sql = "SELECT * FROM whatever WHERE id = $var";
Is this an acceptable way to prevent SQL injection in PHP, or is it vulnerable?
No its not a preventive way. Use PHP PDO. Read this:
https://www.w3schools.com/php/php_mysql_connect.asp
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
I have this query
$query = "SELECT * FROM customers WHERE customer_name = '{$orders}'";
but when the value of the $orders have a single quote(') for example:
$orders = "Carlo's shop";
the query return an error.
is there any good way to handle this situation?
Use PDO with prepared statements. See reference docs.
$query = $pdo->prepare('SELECT * FROM customers WHERE customer_name= :orders');
$query->execute(array('orders' => $orders));
You can also look into using mysqli with prepared statements.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
I'm adding some html code to a database through a mysql_query. So, a basic query looks like this $qry = "UPDATE Pages SET ".$column."='$value' WHERE id='$id'";
If this is called, an actual query might look like this: $qry = "UPDATE Pages SET content_en='<h1>This is a title</h1>' WHERE id='12'"; However, if the HTML code looks like this: <h1 style='color:red;'>This is a title</h1>, it'll break the query because of the semi-colon. Is there any way to solve this?
Use mysql escaping function over your content, like that :
$value = mysqli_real_escape_string($value);
This question already has answers here:
Are PDO prepared statements sufficient to prevent SQL injection?
(7 answers)
Closed 9 years ago.
I am new to PDO. As I heard PDO can prevent SQL injection attack.
Here's what I have written:
$db = new PDO('mysql:host=192.168.57.36; dbname=somedb; charset=UTF8', 'user1', 'pass1');
$sql = "SELECT * FROM table1 WHERE id = ?";
$stmt = $db->prepare($sql);
$stmt->execute(array($tid));
Is it a secure code ? I guess prepared should do some securing acts but the variable is passed to query after it.
Shoud I use addParam before execution method?
Thank you.
Shoud I use addParam before execution method?
No.
Passing a variable into execute does pretty the same.
There could be other issues though, you can read on them here
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 3 years ago.
For example I use
$building_name = $_POST['BuildingName'];
$metering_type = $_POST['MeteringType'];
$query = "INSERT INTO buildings (BuildingName, MeteringType)
VALUES ('$building_name', '$metering_type')";
if(mysqli_query($link, $query))
{
echo json_encode(Array("success"=>true));
}
And I believe that this prevents me from SQL injections. Am I safe?
No, that doesn't protect you in the slightest.
You need to use MySQLi's parameterized queries via prepare.