What is the save way to aviod SQL Injection.
I saw a lot of ways to build up the query my question is what is the safest way to avoid SQL-Injection.
INSERT 1
$st = $this->db->prepare("SELECT * FROM tbl WHERE name=? AND pass=?");
$st->bindParam(1, $name);
$st->bindParam(2, $pass);
$st->execute();
INSERT 2
$stmt = $this->db->prepare("INSERT INTO tbl VALUES(:id, :name)");
$stmt->bindValue(':id', $id);
$stmt->bindValue(':name', $name);
$stmt->execute();
Update 1
$st1 = $this->db->prepare("UPDATE tbl SET name=? WHERE name=?");
$st1->bindParam(1, $newname);
$st1->bindParam(2, $name);
$st1->execute();
SELECT
$st = $this->db->prepare("SELECT * FROM tbl WHERE name=?");
$st->bindParam(1, $name);
$st->execute();
Is it safer to use bindParam(1, $name) or bindParam(:id, $name) to avoid the SQL-Injections in the database?
You will avoid SQL injection both ways, there is no difference. Choose the one that you like more.
Related
This is my code:
function getUsers($connection ,$username) {
$sql = "SELECT * FROM users where username = ?";
$stmt = $connection->prepare($sql);
$stmt->bindParam("s", $username, PDO::PARAM_STR);
return $stmt->fetchAll();
}
$voornaam = "dave";
$users = getUsers($connection, $voornaam);
print_r($users);
When I open my webpage, I get an empty Array.
I checked, and there is a user with the username "dave" in my database.
This should work, however, it doesn't...
Anyone knows what I did wrong?
Thanks in advance.
First is, you have to execute it before using fetchAll():
$stmt->execute();
$result = $stmt->fetchAll();
This is the correct way:
$stmt = $connection->prepare('SELECT * FROM users where username = :username');
$stmt->bindParam(':username', $username);
If you want to user ? it will determine the order of ? in bindParam, use it like this:
$sql = "SELECT * FROM users where username = ?";
$stmt = $connection->prepare($sql);
$stmt->bindParam(1, $username, PDO::PARAM_STR);
More example:
$sth = $dbh->prepare('SELECT name, colour, calories
FROM fruit
WHERE calories < ? AND colour = ?');
$sth->bindParam(1, $calories, PDO::PARAM_INT);
$sth->bindParam(2, $colour, PDO::PARAM_STR, 12);
Instead of using
$stmt->bindParam("s", $username, PDO::PARAM_STR);
you need to use
$stmt->bindParam(1, $username, PDO::PARAM_STR);
Check this link for details https://www.php.net/manual/en/pdostatement.bindparam
You need to check this Example #2 Execute a prepared statement with question mark placeholders
This is the correct way
$sql = "SELECT * FROM users where username = ?";
$stmt = $conn->prepare($sql);
$stmt->bindParam(1, $username, PDO::PARAM_STR);
$stmt->execute();
return $stmt->fetchAll();
I'm new to prepared statements. Sql query is working fine if i insert dummy data and it is working without binding the integer($id).
Where am i wrong?
sql = "UPDATE staff_type SET s_type=?, description=? WHERE s_type_id=?;";
$stmt = mysqli_stmt_init($conn);
mysqli_stmt_prepare($stmt, $sql));
mysqli_stmt_bind_param($stmt, "ssi", $type, $desc, $id);
mysqli_stmt_execute($stmt);
I found the error which cause the integer parameter to not bind. I didn't know that disabled input fields cannot post data, therefore i found a solution to replace the 'disabled' attribute with 'readonly'.
Before binding parameters you have to Prepare an SQL statement with parameters in it.
$sql = "UPDATE staff_type SET s_type=?, description=? WHERE s_type_id=?;";
$stmt = $conn->prepare($sql);
$stmt->bind_param("ssi", $type, $desc, $id);
$stmt->execute();
You have to Prepare Statement first
**Procedural style**
$stmt = mysqli_prepare($conn, "UPDATE staff_type SET s_type=?, description=? WHERE s_type_id=?");
mysqli_stmt_bind_param($stmt, "ssi", $type, $desc, $id);
mysqli_stmt_execute($stmt);
check http://php.net/manual/en/mysqli-stmt.bind-param.php
Try this
$sql= $con->prepare("update staff_type set s_type=?, description=? WHERE s_type_id = ?");
if ($result){
$sql->bind_param('ssi', $s_type, $desc, $s_type_id );
$sql->execute();
}
side note: s represents string while i represents integer
Hope this helps you
I have a php that I need to many selects, like 10, so I do:
$stmt = $mysqli_->prepare("SELECT count(id) as num FROM table WHERE id=?");
$stmt->bind_param('i', $id);
$stmt->execute();
$stmt->bind_result($count);
$stmt->fetch();
$stmt->close();
$stmt = $mysqli_->prepare("SELECT count(id) as num FROM table2 WHERE id=?");
$stmt->bind_param('i', $id);
$stmt->execute();
$stmt->bind_result($count2);
$stmt->fetch();
$stmt->close();
$stmt = $mysqli_->prepare("SELECT count(id) as num FROM table3 WHERE id=?");
$stmt->bind_param('i', $id);
$stmt->execute();
$stmt->bind_result($count3);
$stmt->fetch();
$stmt->close();
...
is it ok to use the $stmt->close(); all the time or would it kill the connection performance?
I am having trouble inserting data into my database. This is my first time dealing with SQL injection.
$stmt = $dbConnection->prepare('INSERT INTO users(name) VALUES('name = ?')');
$stmt->bind_param('s', $name);
$stmt->execute();
But that doesn't work. Any help would be appriciated!
You have a few syntax errors in your code. Try this:
$stmt = $dbConnection->prepare('INSERT INTO users (name) VALUES (:s)');
$stmt->bindParam(':s', $name);
$stmt->execute();
If you want to insert and define more values, do it like this:
$stmt = $dbConnection->prepare('INSERT INTO users (name, email) VALUES (:s, :email)');
$stmt->bindParam(':s', $name);
$stmt->bindParam(':email', $email);
$stmt->execute();
If you're using mysqli, your code will look like this:
$stmt = $dbConnection->prepare('INSERT INTO users (name) VALUES (?)');
$stmt->bind_param('s', $name);
$stmt->execute();
You don't need name = in the SQL, the column name is specified in the list (name) after the table name. Just put a ? where you would normally put the value.
$stmt = $dbConnection->prepare('INSERT INTO users(name) VALUES(?)');
$stmt->bind_param('s', $name);
$stmt->execute();
$sql = 'SELECT * FROM Table WHERE Column = ?';
$stmt = $mysqli->stmt_init();
if ($stmt->prepare($sql)) {
$stmt->bind_param('s', $ColumnValue);
$stmt->execute();
$stmt->bind_result($Col1, $Col2);
$stmt->fetch();
$stmt->close();
}
// or
if ($stmt = $mysqli->prepare($sql)) {
$stmt->bind_param('s', $ColumnValue);
$stmt->execute();
$stmt->bind_result($Col1, $Col2);
$stmt->fetch();
$stmt->close();
}
When dealing with prepared statements, what's the difference? Which should be used?
Looking at the source, they both do the same thing. Personally, I'd go with the one that involves less typing since both are equally readable.