Revisions to How can I prevent SQL injection in PHP?

Updated to mysqli, we don't want to encourage mysql_ don't we?

Source Link

edited May 1, 2018 at 16:51

2.9k
1
27
36

If possible, cast the types of your parameters. But it's only working on simple types like int, bool, and float.

$unsafe_variable = $_POST['user_id'];

$safe_variable = (int)$unsafe_variable ;

mysql_querymysqli_query($conn, "INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

If possible, cast the types of your parameters. But it's only working on simple types like int, bool, and float.

$unsafe_variable = $_POST['user_id'];

$safe_variable = (int)$unsafe_variable ;

mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

If possible, cast the types of your parameters. But it's only working on simple types like int, bool, and float.

$unsafe_variable = $_POST['user_id'];

$safe_variable = (int)$unsafe_variable ;

mysqli_query($conn, "INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

Grammar improvement(s)

Source Link

edited Dec 25, 2017 at 14:45

Nae

15.1k
7
58
82

Type cast ifIf possible, cast the types of your parameters. But it's only working on simple types like int, bool, and float.

$unsafe_variable = $_POST['user_id'];

$safe_variable = (int)$unsafe_variable ;

mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

Type cast if possible your parameters. But it's only working on simple types like int, bool and float.

$unsafe_variable = $_POST['user_id'];

$safe_variable = (int)$unsafe_variable ;

mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

If possible, cast the types of your parameters. But it's only working on simple types like int, bool, and float.

$unsafe_variable = $_POST['user_id'];

$safe_variable = (int)$unsafe_variable ;

mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

Post Made Community Wiki by animuson♦

occurred Jul 7, 2017 at 14:55

Source Link

created Jun 12, 2012 at 8:03

devOp

3.2k
1
19
32

Type cast if possible your parameters. But it's only working on simple types like int, bool and float.

$unsafe_variable = $_POST['user_id'];

$safe_variable = (int)$unsafe_variable ;

mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

Collectives™ on Stack Overflow

Return to Answer