php - how do i prevent mySql injection -
this question has answer here:
- how can prevent sql injection in php? 28 answers
i need know how prevent our database sql injection, read many blog , answer on internet not justify way should prefer or best. mysql:
mysqli: mysql_real_escape_string. or using
using pdo: i know if user inserting in database becomes vulnerable sql injection, , use code insertion:
<?php $con=mysql_connect("localhost","root",""); $db=mysql_select_db("test",$con); $foo=$_post['foo']; $boo=$_post['boo']; $insert="insert table set foo='$foo',boo='$boo'"; so should prevent database injection..... idea appreciated highly.. thanx in advance
if know below code, well, translating pdo like:
from sql code:
<?php $con=mysql_connect("localhost","root",""); $db=mysql_select_db("test",$con); $foo=$_post['foo']; $boo=$_post['boo']; $insert="insert table set foo='$foo',boo='$boo'"; to pdo code:
<?php $con= new pdo('mysql:host=localhost; dbname=xxxx', 'username', 'password') $stmt = $con->prepare('insert table (foo, boo) values (?,?)'); $stmt->execute(array($_post['foo'], $_post['boo'])) pdo helps prepare query, execute unlike mysql @ same instance.
now, $con = new pdo() like, mysql_connect() , mysql_select_db() opens connection.
$stmt variable, holds returned query $result in $result = mysql_query() next execute() executes code, meaning sql queries prepared executed, 1 after other making sql injection impossible, be.
this basic , tutorial if want learn pdo http://wiki.hashphp.org/pdo_tutorial_for_mysql_developers
Comments
Post a Comment