php - how do i prevent mySql injection -


this question has answer here:

i need know how prevent our database sql injection, read many blog , answer on internet not justify way should prefer or best. mysql:

 mysqli: mysql_real_escape_string.

or using

using pdo:

i know if user inserting in database becomes vulnerable sql injection, , use code insertion:

<?php $con=mysql_connect("localhost","root",""); $db=mysql_select_db("test",$con); $foo=$_post['foo']; $boo=$_post['boo'];  $insert="insert table set foo='$foo',boo='$boo'";

so should prevent database injection..... idea appreciated highly.. thanx in advance

if know below code, well, translating pdo like:

from sql code: 

<?php $con=mysql_connect("localhost","root",""); $db=mysql_select_db("test",$con); $foo=$_post['foo']; $boo=$_post['boo']; $insert="insert table set foo='$foo',boo='$boo'";

to pdo code:

<?php $con= new pdo('mysql:host=localhost; dbname=xxxx', 'username', 'password') $stmt = $con->prepare('insert table (foo, boo) values (?,?)'); $stmt->execute(array($_post['foo'], $_post['boo']))

pdo helps prepare query, execute unlike mysql @ same instance.

now, $con = new pdo() like, mysql_connect() , mysql_select_db() opens connection.

$stmt variable, holds returned query $result in $result = mysql_query() next execute() executes code, meaning sql queries prepared executed, 1 after other making sql injection impossible, be.

this basic , tutorial if want learn pdo http://wiki.hashphp.org/pdo_tutorial_for_mysql_developers


Comments

Post a Comment

Popular posts from this blog

.htaccess - First slash is removed after domain when entering a webpage in the browser -

sometimes when hit address of webpage in browser, removes first slash after domain. examples: www.mywebsite.com/scripts/script_6.php -> trying load www.mywebsite.comscripts/script_6.php www.mywebsite.com/test.php -> trying load www.mywebsite.comtest.php after entering again, loads page. a .htaccess settings must wrong: rewritebase / errordocument 404 http://www.mywebsite.com/oops.php errordocument 401 /notallowed.php rewriteengine on # turn on rewriting engine #gzip <ifmodule mod_deflate.c> addoutputfilterbytype deflate text/text text/html text/plain text/xml text/css application/x- javascript application/javascript </ifmodule> #end gzip rewritecond %{http_host} ^mywebsite\.com rewriterule ^(.*)$ http://www.mywebsite.com$1 [r=permanent,l] directoryindex index6.php rewriterule ^termsofuse/?$ termsofuse.php [nc,l] # handle requests "adpolicy" rewriterule ^privacy-policy/?$ privacy-policy.php [nc,l] # handle requ...
Read more

Socket.connect doesn't throw exception in Android -

if put nonsense url no exception thrown , none of rest of code executed not rest of asynctask called method connects. try { socketcliente.connect(new inetsocketaddress("f", port), 2000); } catch (unknownhostexception e) { geterror("host doesn't exist"); return -1; } catch (ioexception e) { geterror("could not connect: host down"); return -1; } add catch statement. catch ( exception e ) { log.d(tag, e.getmessage(),e); toast.maketext(getapplicationcontext(), "unexpected error:" + e.getmessage(), toast.length_long).show(); } this write log , pop toast tell what's going on.
Read more

SPSS keyboard combination alters encoding -

my question not have programming practical issue on spss. accident keyword combination cannot remember because did not intend press changed encoding in spss , text in data in different language english shown small boxes. nevertheless, when kind of analysis performed different language text shown in output. does know reason? tried change encoding did not produce result. first, @ edit > options , see whether setting unicode or locale. might fix it. if have text in multiple languages, want unicode. otherwise, may have specific locale set wrong. can change set locale, need know locale want use.
Read more