How can I prevent SQL injection in PHP?

1 Answer

Best answer

Source: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php

Use prepared statements and parameterized queries. These are SQL statements that are sent to and parsed by the database server separately from any parameters. This way it is impossible for an attacker to inject malicious SQL.

You basically have two options to achieve this:

Using PDO:

$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');

$stmt->execute(array('name' => $name));

foreach ($stmt as $row) {
        // do something with $row
}

Using mysqli:

$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
    $stmt->bind_param('s', $name);

$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
// do something with $row
}

answer Mar 18, 2014 by Pavan P Naik

Similar Questions

0 votes

Prevent mysql injection in Php before submitted to the database?

+1 vote

How to prevent SQL Injection in Java Code?

0 votes

How can i use if condition in mongodb using php?

+1 vote

How can I list included files (in PHP script) from RINIT function?

I'm writing my first php extension and I need to list included files (in PHP script) from RINIT function, but I cannot figure out how.

I deep into PHP source code and I think it's related to EG(included_files), but I can't to access the list.

PHP_RINIT_FUNCTION(extname)
{
 // SAPI NAME AND PHP SCRIPT FILE HANDLE PATH
 char *pt_var_sapi_name = sapi_module.name;
 char *pt_var_file_handle_path = SG(request_info).path_translated;

 // HOW CAN I USE EG(included_files) to get included files list?

 return SUCCESS;
}

0 votes

How can I Paginate my records in PHP?

How can I prevent SQL injection in PHP?

Your comment on this post:

1 Answer

Your comment on this answer:

Your answer

Preview