Quote your damn SQL inputs!

Lowyat.NET forums

Lowyat.NET Kopitiam Garage Sales

Lowyat.NET Rules and Regulations FAQ Help Search Members

Welcome Guest ( Log In | Register )

Lowyat.NET -> Codemasters

Bump Topic Add Reply RSS Feed

Outline · [ Standard ] · Linear+

Quote your damn SQL inputs!, Paging Bobby Tables!

views

TSangch	Nov 3 2014, 08:26 PM, updated 12y ago Return to original view \| Post #1
On my way Junior Member 636 posts Joined: Jul 2006	Sigh, have enough of seeing bad code passing by here, and people replying and fixing the wrong (IMHO) things. Topic is closed, so didn't manage to post proper reply to the original post. Read these: http://en.wikipedia.org/wiki/SQL_injection http://php.net/manual/en/mysqli-stmt.bind-param.php http://php.net/manual/en/security.database.sql-injection.php TL/DR: Don't do this: CODE $mysqli->query("UPDATE table Foo set body= '".$_POST['body']."' where id= '".$_POST['id']."'"); Do this (well, a better version of this): CODE $stmt = mysqli_prepare($link, "UPDATE table Foo set body = ? where id= ?"); mysqli_stmt_bind_param($stmt, 'sd', $_POST['body'], $_POST['id']); mysqli_stmt_execute($stmt); This post has been edited by angch: Nov 3 2014, 08:28 PM
Card PM	Report Top Like Quote Reply

« Next Oldest · Codemasters · Next Newest »

Add Reply Options

Change to:

0.0151sec

0.66

6 queries

GZIP Disabled
Time is now: 21st December 2025 - 08:02 PM

All Rights Reserved © 2002- 2025 Vijandren Ramadass (~unite against racism~)

Removal Request

Powered by Invision Power Board © 2025 IPS, Inc.