top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

How can I prevent SQL injection in PHP?

+3 votes
340 views
How can I prevent SQL injection in PHP?
posted Mar 4, 2014 by Khusboo

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

+1 vote
 
Best answer

Source: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php

Use prepared statements and parameterized queries. These are SQL statements that are sent to and parsed by the database server separately from any parameters. This way it is impossible for an attacker to inject malicious SQL.

You basically have two options to achieve this:

Using PDO:

$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');

$stmt->execute(array('name' => $name));

foreach ($stmt as $row) {
        // do something with $row
}

Using mysqli:

$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
    $stmt->bind_param('s', $name);

$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
// do something with $row
}
answer Mar 18, 2014 by Pavan P Naik
Similar Questions
+1 vote

I'm writing my first php extension and I need to list included files (in PHP script) from RINIT function, but I cannot figure out how.

I deep into PHP source code and I think it's related to EG(included_files), but I can't to access the list.

PHP_RINIT_FUNCTION(extname)
{
 // SAPI NAME AND PHP SCRIPT FILE HANDLE PATH
 char *pt_var_sapi_name = sapi_module.name;
 char *pt_var_file_handle_path = SG(request_info).path_translated;

 // HOW CAN I USE EG(included_files) to get included files list?

 return SUCCESS;
}
...