This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I need to use a select query but my code keeps crashing because some of the names have apostrophes in it. I pull all data into a table and half way through it just stops because it hits a apostrophe.
My select Query:
$query = mysqli_query($dbh,"select * FROM show_invoice where id_show='$get_id' and status='UNPAID' and scratch = 'Unscratched'and show_deleted != 'Deleted' ORDER BY 'class_no' ASC")
There are 3 columns that will possibly contain apostrophes. Any advice on how i can stop it from crashing.
You can use mysqli_real_escape_string.
So just do
$get_id = mysqli_real_escape_string($dbh,$get_id);
before running your query.
Note: You should really use prepared statements instead of own queries because of risk of SQL injection attacks.
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 4 years ago.
most of the time I've been doing SQL like this:
$pdo = new PDO($dsn, $usr, $pass);
$qry = 'SELECT * FROM `my_table` WHERE `pk_id` = '. $id .';';
$res = $pdo->query($qry);
but recently I've seen a few posts showing that the only way to be safe is using prepared statements - this isn't an issue really for me, and this probably has an answer, just one I couldn't find from Googling around.
surely, if all of my statements, end in .';' using concat is ok?
Thanks,
No.
In SQL, it does not give an error if you supply two semi colons at the end of your query.
So if a user could pass along this:
1; DROP TABLE users;
it will have the same consequences, with or without the semi colon in your code added at the end.
The huge benefit of prepared statements is that no data is being altered. It just simply sends two queries.
Here is a a nice source which contains a lot of SQL injection examples.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 5 years ago.
I have this SQL query
$sql_ = "SELECT score FROM users WHERE username=$row['uid']";
Every user in the table users has a score value and a username. $row['uid'] is a variable from a previous SQL statement, this query is giving me an error, how would I fix this, also how would I get that score value into a single variable?
You need to use some SQL Injection prevention mechanism. Never use raw variables in a query like that. Have a look at PDO.
You need to bind your variables and then execute the query.
But for what you need and ONLY for testing purposes check the following quoting your variable:
$sql_ = "SELECT score FROM users WHERE username = '" . $row['uid'] . "'";
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
If you use htmlspecialchars() when receiving input from the user, like:
$email = htmlspecialchars($_POST['email']);
Should you use a prepared statement if the query is just a SELECT one?
You should always use prepared statements. Here's an exemple:
if user inputs the following:
"105 or 1=1"
The htmlspecialchars() function won't do anything to it.
The query would look like:
SELECT * FROM Users WHERE UserId = 105 or 1=1
See this doc
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
Ok so i have this kind of query
SELECT * FROM table WHERE column LIKE 'Blahblahblah Blah - Blah (Blah-Blah)'
(Yep, column values are 20-30 characters long)
And it works in phpmyadmin and returns ~ 100 results.
But whn i try it in PHP framework CI (CodeIgniter)
It is not returning any values.
My code looks like:
$sql = "SELECT * FROM table WHERE column LIKE '$val' ORDER BY column ASC";
$sql = $this->db->query($sql);
return $sql->result();
So how do i get this to work?
Before you try to make it work, you really, really need to change the way you're constructing the query. You should use a prepared statement where you introduce variables, and then bind them to values.
The way you've written it is horribly vulnerable to SQL injection attacks. (Suppose $val contained '; DROP DATABASE blah; .... What would the whole SQL statement now look like?) If you try to solve the problem in its current form, you'll end up with something that works but will be very dangerous. Make it safe first with a prepared statement.
Details in this linked question.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Are dynamic mysql queries with sql escaping just as secure as prepared statements?
Is using only mysqli_real_escape_string enough to secure a query? Or is there more to consider when trying to securely query a database?
If used everywhere correctly real_escape_string is an option. But consider the following code:
$page = $_GET['page'];
$sql = 'SELECT `name` FROM `user` WHERE `id` = ' . mysqli_real_escape_string($page);
Safe or not? real_escape_string can only be used to escape strings inside quotation marks. $page could be 1 OR id IN (2,3,4,5,6,7,8,9) → no quotation marks, no real escaping. Casting to the correct datatype (int) might help in this case. You're better off using prepared statements, they are not as easily to mis-use.