Revisions to How can I prevent SQL injection in PHP?

Change the params in mysqli_real_escape_string to the right way around (dbconn, value)

Source Link

edited Sep 1, 2022 at 14:26

2.8k
4
21
47

Security Warning: This answer is not in line with security best practices. Escaping is inadequate to prevent SQL injection, use prepared statements instead. Use the strategy outlined below at your own risk.

You could do something basic like this:

$safe_variable = mysqli_real_escape_string($dbConnection, $_POST["user-input"], $dbConnection);
mysqli_query($dbConnection, "INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

This won't solve every problem, but it's a very good stepping stone. I left out obvious items such as checking the variable's existence, format (numbers, letters, etc.).

Security Warning: This answer is not in line with security best practices. Escaping is inadequate to prevent SQL injection, use prepared statements instead. Use the strategy outlined below at your own risk.

You could do something basic like this:

$safe_variable = mysqli_real_escape_string($_POST["user-input"], $dbConnection);
mysqli_query($dbConnection, "INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

This won't solve every problem, but it's a very good stepping stone. I left out obvious items such as checking the variable's existence, format (numbers, letters, etc.).

Security Warning: This answer is not in line with security best practices. Escaping is inadequate to prevent SQL injection, use prepared statements instead. Use the strategy outlined below at your own risk.

You could do something basic like this:

$safe_variable = mysqli_real_escape_string($dbConnection, $_POST["user-input"]);
mysqli_query($dbConnection, "INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

This won't solve every problem, but it's a very good stepping stone. I left out obvious items such as checking the variable's existence, format (numbers, letters, etc.).

added 327 characters in body

Source Link

edited May 13, 2022 at 21:19

miken32

42.6k
16
119
164

Security Warning: This answer is not in line with security best practices. Escaping is inadequate to prevent SQL injection, use prepared statements instead. Use the strategy outlined below at your own risk.

You could do something basic like this:

$safe_variable = mysqli_real_escape_string($_POST["user-input"], $dbConnection);
mysqli_query($dbConnection, "INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

This won't solve every problem, but it's a very good stepping stone. I left out obvious items such as checking the variable's existence, format (numbers, letters, etc.).

You could do something basic like this:

$safe_variable = mysqli_real_escape_string($_POST["user-input"], $dbConnection);
mysqli_query($dbConnection, "INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

This won't solve every problem, but it's a very good stepping stone. I left out obvious items such as checking the variable's existence, format (numbers, letters, etc.).

Security Warning: This answer is not in line with security best practices. Escaping is inadequate to prevent SQL injection, use prepared statements instead. Use the strategy outlined below at your own risk.

You could do something basic like this:

$safe_variable = mysqli_real_escape_string($_POST["user-input"], $dbConnection);
mysqli_query($dbConnection, "INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

This won't solve every problem, but it's a very good stepping stone. I left out obvious items such as checking the variable's existence, format (numbers, letters, etc.).

Totally Code Updated to Mysqli Version (PHP > 7.0)

Source Link

edited Jun 18, 2019 at 10:23

M Uzair Qadeer

492
1
8
19

Deprecated Warning: This answer's sample code (like the question's sample code) uses PHP's MySQL extension, which was deprecated in PHP 5.5.0 and removed entirely in PHP 7.0.0.

Security Warning: This answer is not in line with security best practices. Escaping is inadequate to prevent SQL injection, use prepared statements instead. Use the strategy outlined below at your own risk. (Also, mysql_real_escape_string() was removed in PHP 7.)

You could do something basic like this:

$safe_variable = mysqli_real_escape_string($_POST["user-input"], $dbConnection);
mysqli_query($dbConnection, "INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

This won't solve every problem, but it's a very good stepping stone. I left out obvious items such as checking the variable's existence, format (numbers, letters, etc.).

Deprecated Warning: This answer's sample code (like the question's sample code) uses PHP's MySQL extension, which was deprecated in PHP 5.5.0 and removed entirely in PHP 7.0.0.

Security Warning: This answer is not in line with security best practices. Escaping is inadequate to prevent SQL injection, use prepared statements instead. Use the strategy outlined below at your own risk. (Also, mysql_real_escape_string() was removed in PHP 7.)

You could do something basic like this:

$safe_variable = mysqli_real_escape_string($_POST["user-input"], $dbConnection);
mysqli_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

This won't solve every problem, but it's a very good stepping stone. I left out obvious items such as checking the variable's existence, format (numbers, letters, etc.).

You could do something basic like this:

$safe_variable = mysqli_real_escape_string($_POST["user-input"], $dbConnection);
mysqli_query($dbConnection, "INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

This won't solve every problem, but it's a very good stepping stone. I left out obvious items such as checking the variable's existence, format (numbers, letters, etc.).

Added appropriate warnings.

Source Link

edited May 9, 2019 at 3:02

Theodore R. Smith

22.7k
13
68
92

Loading

Spelling

Source Link

edited Apr 18, 2019 at 12:00

halfer

20.2k
19
105
197

Loading

corrected command syntax

Source Link

edited Mar 13, 2019 at 23:05

Ajay Singh

733
9
21

Loading

Rollback to Revision 5 - Last edit mostly plagiarized from https://www.cloudways.com/blog/protect-php-website-sql-injection/

Source Link

edited Jan 11, 2019 at 7:23

Pang

9.9k
146
85
124

Loading

Deprecated extension removed, Expanded the Answer with more specific theories

Source Link

edited Dec 29, 2018 at 6:44

Kiran Maniya

8.8k
10
60
84

Loading

Deprecated extension removed

Source Link

edited Dec 29, 2018 at 6:31

Kiran Maniya

8.8k
10
60
84

Loading

Post Made Community Wiki by animuson♦

occurred Jul 7, 2017 at 14:55

Add a note about the insecurity of escaping.

Source Link

edited Jan 2, 2016 at 3:47

Scott Arciszewski

34k
17
91
212

Loading

(its = possessive, it's = "it is" or "it has". See for example <http://www.wikihow.com/Use-Its-and-It's>.) In English, the subjective form of the singular first-person pronoun, "I", is capitalized, along with all its contractions such as I'll and I'm.

Source Link