This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
$type_of_poker = "hold'em no limit";
$sql = "INSERT INTO hands (type_of_poker) VALUES ('$type_of_poker')";
Im trying to put hold'em no limit into a SQL database but it won't let me
use ' i cant upload holdem no limit for a long list resones that have to do
with the rest of my code.
Instead of trying to escape the apostrophe, it is much better practice to use prepared statements and binded parameters which will also solve your problem. It solves your problem because you then don't need to escape the apostrophe ('):
$type_of_poker = "hold'em no limit";
//binding the parameters to your sql statement
$sql = "INSERT INTO hands (type_of_poker) VALUES (:type_of_poker)";
$stmt = $conn->prepare($sql);
$stmt->bindParam(':type_of_poker',$type_of_poker);
$stmt->execute();
Let me know if that worked for you! :)
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 4 years ago.
I generate a mysql query via $_GET in PHP via concatenation assignment (.=).
take a look:
$sql='SELECT * FROM table WHERE ';
$sql.='ID='.$_GET['id'].'';
$query=$PDO->prepare($sql);
how can i prevent mysql injection?
i use bind values for direct queries but in this case,i don't have any idea how i should write my code to be safe enough.
note that i use PHP 7 and i can't use mysql_real_escape_string(); as it's not available in PHP7.
You could use something like the following:
<?php
$sql = $PDO->prepare("SELECT * FROM table WHERE ID=?");
if ($sql->execute(array($_GET['id']))) {
while ($row = $sql->fetch()) {
print_r($row);
}
}
?>
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
I just thought about the safety of my php script and read a lot about sql injections.Now I have a question to save me from it.Is it right when my script doesnt accept characters like ' , ; or " ? Or I just catch this from my Android app ? So I just see the problem in these caracters. Am I right ? Or is there sth I dont see ? If not what would be the easiest way to safe it ?
never check the string for injection, all you need to do is not concatenate the variable.
Use Prepared Statements.
a "example" in mysqli extract from http://www.wikihow.com/Prevent-SQL-Injection-in-PHP
$name = $_GET['username'];
if ($stmt = $mysqli->prepare("SELECT password FROM tbl_users WHERE name=?")) {
// Bind a variable to the parameter as a string.
$stmt->bind_param("s", $name);
// Execute the statement.
$stmt->execute();
// Get the variables from the query.
$stmt->bind_result($pass);
// Fetch the data.
$stmt->fetch();
// Display the data.
printf("Password for user %s is %s\n", $name, $pass);
// Close the prepared statement.
$stmt->close();
}
read: http://www.veracode.com/security/sql-injection
if your idea is check the variables for ' or " or ;, it's a hard endless job and in the end can solve by using PDO statment.
This question already has answers here:
SQL injection that gets around mysql_real_escape_string()
(4 answers)
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
I'm not familiar with sql injection and I wanna know if there is any invulnerability in my script, if there is please point it out and give me some tip to fix it.
<?php
include("config.php");
?>
<?php
$desc = $_POST['desc'];
$desc = mysql_real_escape_string($desc);
$author = $_POST['author'];
$date = date("d/M/Y");
mysql_query("INSERT INTO `changelog`(`author`, `date`, `description`) VALUES ('{$author}','{$date}','$desc')") or die(mysql_error());
include("success.php");
?>
Yes there is. You are solely relying on mysql_real_escape_string which has been deprecated. Furthermore you should build some of your own logic tests based on a range of input that you are expecting. You might want to use RegExp or some other trimming functions but don't rely just on mysql_real_escape_string.
You should write some logic to test the data you are expecting.
You can check out http://php.net/manual/en/security.database.sql-injection.php for more information on preventing SQL Injections.
This question already has answers here:
Are PDO prepared statements sufficient to prevent SQL injection?
(7 answers)
Closed 9 years ago.
I am new to PDO. As I heard PDO can prevent SQL injection attack.
Here's what I have written:
$db = new PDO('mysql:host=192.168.57.36; dbname=somedb; charset=UTF8', 'user1', 'pass1');
$sql = "SELECT * FROM table1 WHERE id = ?";
$stmt = $db->prepare($sql);
$stmt->execute(array($tid));
Is it a secure code ? I guess prepared should do some securing acts but the variable is passed to query after it.
Shoud I use addParam before execution method?
Thank you.
Shoud I use addParam before execution method?
No.
Passing a variable into execute does pretty the same.
There could be other issues though, you can read on them here
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 3 years ago.
For example I use
$building_name = $_POST['BuildingName'];
$metering_type = $_POST['MeteringType'];
$query = "INSERT INTO buildings (BuildingName, MeteringType)
VALUES ('$building_name', '$metering_type')";
if(mysqli_query($link, $query))
{
echo json_encode(Array("success"=>true));
}
And I believe that this prevents me from SQL injections. Am I safe?
No, that doesn't protect you in the slightest.
You need to use MySQLi's parameterized queries via prepare.