We Keep Coding

How to i prevent sql injection from this code , please add your suggestions in my code [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
<?php
// I fetching data from sql table "product".i want to prevent all unwanted characters and all.please add your suggestions in my code.
if(isset($_GET['search'])){
$search_query = $_GET['user_query'];
$get_pro = "select * from product where title like '%$search_query%'";
$run_pro = mysqli_query($con, $get_pro);
while($row_pro=mysqli_fetch_array($run_pro)){
$pro_title = $row_pro['title'];
echo " <span>$pro_title</span> "
}
}
?>

To prevent SQL Injection PDO(PHP Data Objects) is the best way to go. PDO gives more flexibilty to the programmer as if you want to switch your project to use another database, PDO makes the process very easy. You only have to change the connection string and a few queries.
If your project is in initial stage and you want to attain more flexibility I'll highly recommend to switch over to PDO. To know more about PDO you can refer to this link How does PHP PDO's prepared statements prevent sql injection? What are other benefits of using PDO? Does using PDO reduce efficiency?
Okay coming back to the problem you asked. To prevent SQL injection in mysqli interface you could use mysqli_real_escape_string() function which takes two args:
connection- Specifies the MySQL connection to use(required)
escapestring- The string to be escaped(required)
After this step your code will look like this-
$search_query = mysqli_real_escape_string($conn, $_GET['user_query']);
where $conn will be your connection handle.
You can append the '%' operator after this step and can use the result to perform the query.

Is this code using PDO secure? [duplicate]

This question already has answers here:
Are PDO prepared statements sufficient to prevent SQL injection?
(7 answers)
Closed 9 years ago.
I am new to PDO. As I heard PDO can prevent SQL injection attack.
Here's what I have written:
$db = new PDO('mysql:host=192.168.57.36; dbname=somedb; charset=UTF8', 'user1', 'pass1');
$sql = "SELECT * FROM table1 WHERE id = ?";
$stmt = $db->prepare($sql);
$stmt->execute(array($tid));
Is it a secure code ? I guess prepared should do some securing acts but the variable is passed to query after it.
Shoud I use addParam before execution method?
Thank you.

Shoud I use addParam before execution method?
No.
Passing a variable into execute does pretty the same.
There could be other issues though, you can read on them here

How to escape strings in pdo? [duplicate]

This question already has answers here:
Real escape string and PDO [duplicate]
(3 answers)
Closed 10 years ago.
I would like to know how to escape strings in pdo .
I have been escaping the springs like in the code bellow but now with pdo I do not know how to do it
$username=(isset($_POST['username']))? trim($_POST['username']): '';
$previlage =(isset($_GET['previlage']));
$query ="SELECT * FROM site_user
WHERE username = '".mysql_real_escape_string($_SESSION['username'])."' AND previlage ='Admin'";
$security = mysql_query($query)or die (mysql_error($con));
$count = mysql_num_rows($security);

Well, you can use PDO::quote, but, as said in its own docpage...
If you are using this function to build SQL statements, you are
strongly recommended to use PDO::prepare() to prepare SQL statements
with bound parameters instead of using PDO::quote() to interpolate
user input into an SQL statement.
In your case it can look like this:
$query = "SELECT *
FROM site_user
WHERE username = :username AND previlage = 'Admin'";
$sth = $dbh->prepare($query);
$sth->execute(array(':username' => $_SESSION['username']) );

mysql_* function will not work in PDO. WHY? Because PDO doesnt use mysql to connect to a databases, as far as input sanitization, PDO uses prepared statements you can find a good tutorial for that here: pdo

Is it enough to use mysqli in PHP to prevent SQL injections? [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 3 years ago.
For example I use
$building_name = $_POST['BuildingName'];
$metering_type = $_POST['MeteringType'];
$query = "INSERT INTO buildings (BuildingName, MeteringType)
VALUES ('$building_name', '$metering_type')";
if(mysqli_query($link, $query))
{
echo json_encode(Array("success"=>true));
}
And I believe that this prevents me from SQL injections. Am I safe?

No, that doesn't protect you in the slightest.
You need to use MySQLi's parameterized queries via prepare.

How to safely escape the input data in php for mysql [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 2 years ago.
Which means, at the moment, are the safest for screening data in php to send them to the mysql database.
Thank, you )

I believe mysql_real_escape_string() mysqli_real_escape_string() is the best way to escape input data
Later edit since everything is deprecated now and information must be valid:
Try to use PDO as prepared statements are much safer or mysqli_*() functions if you really need to keep old code somewhat up-to-date.

Currently the most preferred way to insure your safety is prepared statements.
example:
$preparedStatement = $db->prepare('SELECT * FROM memebers WHERE username = :username');
$preparedStatement->execute(array(':username' => $username));
$rows = $preparedStatement->fetchAll();
then when displaying your data use htmlspecialchars()

validMySQL($var) {
$var=stripslashes($var);
$var=htmlentities($var);
$var=strip_tags($var);
$var=mysql_real_escape_string($var);
return $var
}
The above code helps to sanitize most invalid data, just remember that you've to be connected to mysql database for mysql_real_escape_string to work...