1. Home
2. Questions
3. Tags
5. Users
6. Companies
7. Labs
8. Jobs
9. Discussions
10. Collectives
11. Communities for your favorite technologies. Explore all Collectives
Teams

Now available on Stack Overflow for Teams! AI features where you work: search, IDE, and chat.
Learn more Explore Teams
Teams
Ask questions, find answers and collaborate at work with Stack Overflow for Teams. Explore Teams

Timeline for How can I prevent SQL injection in PHP?

Current License: CC BY-SA 4.0

17 events

when toggle format	what		by	license	comment
Jan 27, 2021 at 16:05	comment	added	brut65		@Zaffy, thanks, it helps a Lot. I tested by myself, and your "formula" hex/unhex prevents the most common SQL injection attacks. It's possible broke this, a leak on the process or something? At least in a way that you know ..
Jun 12, 2020 at 3:53	comment	added	Your Common Sense		This overcomplicated approach is absolutely for naught. One could use simple quoting function `"'".$mysqli->escape_string($_GET["id"])."'"` instead of this hexing/unhexing paraphernalia. But it will be equally limited, leaving your application exposed to SQL injection for the cases where it's inapplicable.
S Jun 12, 2020 at 3:31	history	suggested	BushBush Saur	CC BY-SA 4.0	improved formatting, changed blockquotes to code blocks
Jun 11, 2020 at 22:23	review	Suggested edits
S Jun 12, 2020 at 3:31
Dec 25, 2017 at 14:40	history	edited	Nae	CC BY-SA 3.0	Grammar improvement(s)
Oct 18, 2017 at 9:26	history	edited	Palec	CC BY-SA 3.0	Fixed reversed word order.
Oct 18, 2017 at 7:49	history	edited	Farzad Karimi	CC BY-SA 3.0	improved syntax
Jul 7, 2017 at 14:55	history	made wiki			Post Made Community Wiki by animuson♦
Jul 16, 2014 at 2:19	history	edited	Peter Mortensen	CC BY-SA 3.0	Copy edited. (its = possessive, it's = "it is" or "it has". See for example <http://www.wikihow.com/Use-its-and-it's>.)
Oct 12, 2013 at 9:27	history	edited	user823738	CC BY-SA 3.0	added 875 characters in body
Jun 1, 2013 at 23:49	comment	added	user823738		@SumitGupta Yea, you did. MySQL doesnt concatenate with `+` but with `CONCAT`. And to the performance: I dont think it affects performance because mysql has to parse data and it doesnt matter if origin is string or hex
Jun 1, 2013 at 12:53	comment	added	Sumit Gupta		I just test SELECT * FROM `tblproducts` WHERE product_code LIKE ( '%42%') does find record but SELECT * FROM `tblproducts` WHERE product_code LIKE ('%' +0x3432 +'%') doesn't, so it simply doesn't work or I did something wrong ?
Jun 1, 2013 at 12:48	comment	added	Sumit Gupta		@Zaffy, I like the idea, but what about performance, I mean if you have 1 million records and 1000 users searching does it slow down as compare to prepare solution ?
S Mar 8, 2013 at 16:57	history	suggested	dadinck	CC BY-SA 3.0	except - > expect, spelling error.
Mar 8, 2013 at 16:54	review	Suggested edits
S Mar 8, 2013 at 16:57
Feb 27, 2013 at 20:09	history	edited	user823738	CC BY-SA 3.0	deleted 63 characters in body
Oct 3, 2012 at 14:07	history	answered	user823738	CC BY-SA 3.0