Timeline for How can I prevent SQL injection in PHP?
Current License: CC BY-SA 4.0
36 events
when toggle format | what | by | license | comment | |
---|---|---|---|---|---|
Mar 24, 2022 at 11:30 | history | edited | Your Common Sense | CC BY-SA 4.0 |
made it up to date. people get confused as hell and come asking questions that make no sense after reading this kind of answer that cannot make its mind on how to protect
|
Dec 2, 2019 at 9:07 | comment | added | Steen Schütt | @RickJames My point is, that you are more likely to make mistakes with the old approach of manually quoting your parameters. I am aware that the old MySQL functions are deprecated/removed and that the mysqli extension does something similar, but we should be teaching prepared statements first, and then "the old ways" for completeness. | |
Dec 1, 2019 at 1:21 | comment | added | Rick James |
@SteenSchütt - All the mysql_* functions are deprecated. They were replaced by similar mysqli_* functions, such as mysqli_real_escape_string .
|
|
Dec 1, 2019 at 1:19 | comment | added | Rick James |
@peimanF. - Don't do both; it will double-escape things! Pick either parameterization (preferred) or mysqli_real_escape_string
|
|
Nov 21, 2019 at 11:13 | history | rollback | Your Common Sense |
Rollback to Revision 21
|
|
Nov 21, 2019 at 11:05 | history | edited | user1986815 | CC BY-SA 4.0 |
mysqli_real_escape_string expects 2 parameters
|
May 9, 2019 at 3:02 | history | edited | Theodore R. Smith | CC BY-SA 4.0 |
Added appropriate warnings.
|
Dec 5, 2018 at 0:13 | comment | added | Steen Schütt |
I understand the inclusion of mysql_real_escape_string() for completeness, but am not a fan of listing the most error-prone approach first. The reader might just quickly grab the first example. Good thing it's deprecated now :)
|
|
Nov 19, 2018 at 13:32 | history | edited | Sayed Mohd Ali | CC BY-SA 4.0 |
corrected spelling, fixed grammer.
|
Apr 4, 2018 at 18:03 | comment | added | Richard | @peimanF. Good practise to parametrized queries and bind values, but real escape string is good for now | |
Mar 9, 2018 at 8:02 | comment | added | Goufalite |
@peimanF. keep a good practice of using parametrized queries, even on a local project. With parametrized queries you are guaranteed that there will not be SQL injection. But keep in mind you should sanitize the data to avoid bogus retrieval (i.e. XSS injection, such as putting HTML code in a text) with htmlentities for example
|
|
Mar 8, 2018 at 21:29 | comment | added | peiman F. |
using mysql_real_escape_string is enough or i must use parameterized too?
|
|
Feb 27, 2018 at 23:04 | history | edited | Matt Sheppard | CC BY-SA 3.0 |
Clarify that the answer matches the question.
|
Feb 26, 2018 at 20:41 | history | edited | rici | CC BY-SA 3.0 |
Edit the warning (which was confusing) as suggested by @nix in a comment.
|
Oct 18, 2017 at 7:12 | history | edited | Farzad Karimi | CC BY-SA 3.0 |
improved syntax
|
Aug 25, 2017 at 9:43 | history | edited | Priyantha | CC BY-SA 3.0 |
Change your post. Now it's looks like professional. Other users can take this with clear mind. Thank you
|
Jul 7, 2017 at 14:55 | history | made wiki | Post Made Community Wiki by animuson♦ | ||
May 23, 2017 at 12:18 | history | edited | URL Rewriter Bot |
replaced http://stackoverflow.com/ with https://stackoverflow.com/
|
|
Aug 8, 2016 at 16:18 | history | edited | Machavity♦ | CC BY-SA 3.0 |
Moved warning into quote
|
Jun 8, 2016 at 20:19 | history | edited | Matt Sheppard | CC BY-SA 3.0 |
Promoted the warning about removal of mysql_real_escape_string
|
Jun 7, 2016 at 13:56 | history | edited | Steve | CC BY-SA 3.0 |
added 97 characters in body
|
S Mar 31, 2014 at 21:44 | history | suggested | Denys Vitali | CC BY-SA 3.0 |
Added warning about deprecation of mysql
|
Mar 31, 2014 at 21:39 | review | Suggested edits | |||
S Mar 31, 2014 at 21:44 | |||||
Feb 11, 2014 at 19:48 | history | edited | Funk Forty Niner | CC BY-SA 3.0 |
added a missing semi-colon at the end of $unsafe_variable = $_POST["user-input"]
|
Dec 19, 2013 at 13:06 | review | Suggested edits | |||
Dec 19, 2013 at 13:08 | |||||
Jul 5, 2013 at 7:14 | review | Suggested edits | |||
Jul 5, 2013 at 7:16 | |||||
Sep 21, 2012 at 7:25 | history | edited | Matt Sheppard | CC BY-SA 3.0 |
I think the extra variable name illustrates the point more clearly, though this is not how you would do it in real code.
|
Sep 21, 2012 at 7:24 | history | rollback | Matt Sheppard |
Rollback to Revision 6
|
|
Sep 21, 2012 at 7:23 | history | rollback | Matt Sheppard |
Rollback to Revision 5
|
|
Sep 17, 2012 at 22:20 | history | edited | Peter Mortensen | CC BY-SA 3.0 |
added 32 characters in body; added 4 characters in body
|
S Apr 5, 2012 at 17:55 | history | suggested | Francisco Presencia | CC BY-SA 3.0 |
Optimized code. It's better to do something in 1 line instead of 2 if it's clear what it does.
|
Apr 5, 2012 at 16:11 | review | Suggested edits | |||
S Apr 5, 2012 at 17:55 | |||||
Feb 6, 2012 at 7:32 | history | edited | Matt Sheppard | CC BY-SA 3.0 |
added 447 characters in body
|
Feb 5, 2012 at 17:00 | history | edited | Ry-♦ | CC BY-SA 3.0 |
Formatting, delocalized URLs.
|
Dec 6, 2011 at 6:01 | history | edited | Matt Sheppard | CC BY-SA 3.0 |
Incorporated example of problem with numeric values noted by Polynomial
|
Sep 13, 2008 at 9:48 | history | answered | Matt Sheppard | CC BY-SA 2.5 |