We Keep Coding

Escape MYSQL injection with GET method [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 4 years ago.
I generate a mysql query via $_GET in PHP via concatenation assignment (.=).
take a look:
$sql='SELECT * FROM table WHERE ';
$sql.='ID='.$_GET['id'].'';
$query=$PDO->prepare($sql);
how can i prevent mysql injection?
i use bind values for direct queries but in this case,i don't have any idea how i should write my code to be safe enough.
note that i use PHP 7 and i can't use mysql_real_escape_string(); as it's not available in PHP7.

You could use something like the following:
<?php
$sql = $PDO->prepare("SELECT * FROM table WHERE ID=?");
if ($sql->execute(array($_GET['id']))) {
while ($row = $sql->fetch()) {
print_r($row);
}
}
?>

Is `$var = $var + 0` an acceptable way to prevent SQL injection in PHP? [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 4 years ago.
A team I work with has a habit of escaping IDs and integers in SQL like this:
$var = $var + 0;
$sql = "SELECT * FROM whatever WHERE id = $var";
Is this an acceptable way to prevent SQL injection in PHP, or is it vulnerable?

No its not a preventive way. Use PHP PDO. Read this:
https://www.w3schools.com/php/php_mysql_connect.asp

Updating sql table using php [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 6 years ago.
I have a table (core_customer_information) and I want to create a SQL query in php that uses the variable $code and updates the activated field in my table.
$code = mysqli_real_escape_string($conn, $_GET['code']);
$check = mysqli_query("SELECT * FROM core_customer_information WHERE activation_code='$code' AND activated='1' ");
if ( mysqli_num_rows($check) == 1)
{
die ('The account has already been activated');
}
else
{
$activate = mysqli_query("UPDATE core_customer_information SET activated='1' WHERE activation_code='$code'");
echo ('Your account has know been activated <br>');
echo $code;
}
First of all, I check whether the activated is equal to 1, in which case the account is classed as activated, and if not, I then create an UPDATE query to update the activated field of this class.
My problem is that the query isn't updating my table and I'm unsure where the problem is at.
I would appreciate if someone could take a look for me please.

I would recommend you use mysqli_real_escape_string as it escapes the string taking into account the current connection charset as stated by the page:
This function is used to create a legal SQL string that you can use in an SQL statement. The given string is encoded to an escaped SQL string, taking into account the current character set of the connection.
To prevent most mysql injection methods you should do the following:
$code = mysqli_real_escape_string($link, $_GET['code']);
If you should ever use an adapter like ADODB or some other, I'd recommend you use prepared statements and their methods of preventing SQL injection.

It's not totally clear from your question what language you will be using to launch the SQL queries (since the only tags are sql and mysql at the moment...)
But if the language is similar to Java then you can use something similar to Java's PreparedStatement. (See https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html)
A PreparedStatement is safer than simple concatenation of dynamic variables into sql Strings.

Is there any way to SQL inject in my code? [duplicate]

This question already has answers here:
SQL injection that gets around mysql_real_escape_string()
(4 answers)
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
I'm not familiar with sql injection and I wanna know if there is any invulnerability in my script, if there is please point it out and give me some tip to fix it.
<?php
include("config.php");
?>
<?php
$desc = $_POST['desc'];
$desc = mysql_real_escape_string($desc);
$author = $_POST['author'];
$date = date("d/M/Y");
mysql_query("INSERT INTO `changelog`(`author`, `date`, `description`) VALUES ('{$author}','{$date}','$desc')") or die(mysql_error());
include("success.php");
?>

Yes there is. You are solely relying on mysql_real_escape_string which has been deprecated. Furthermore you should build some of your own logic tests based on a range of input that you are expecting. You might want to use RegExp or some other trimming functions but don't rely just on mysql_real_escape_string.

You should write some logic to test the data you are expecting.
You can check out http://php.net/manual/en/security.database.sql-injection.php for more information on preventing SQL Injections.

How to safely escape the input data in php for mysql [duplicate]

This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 2 years ago.
Which means, at the moment, are the safest for screening data in php to send them to the mysql database.
Thank, you )

I believe mysql_real_escape_string() mysqli_real_escape_string() is the best way to escape input data
Later edit since everything is deprecated now and information must be valid:
Try to use PDO as prepared statements are much safer or mysqli_*() functions if you really need to keep old code somewhat up-to-date.

Currently the most preferred way to insure your safety is prepared statements.
example:
$preparedStatement = $db->prepare('SELECT * FROM memebers WHERE username = :username');
$preparedStatement->execute(array(':username' => $username));
$rows = $preparedStatement->fetchAll();
then when displaying your data use htmlspecialchars()

validMySQL($var) {
$var=stripslashes($var);
$var=htmlentities($var);
$var=strip_tags($var);
$var=mysql_real_escape_string($var);
return $var
}
The above code helps to sanitize most invalid data, just remember that you've to be connected to mysql database for mysql_real_escape_string to work...