Jump to content

Search the Community

Showing results for tags 'msql injection'.

  • Search By Tags

    Type tags separated by commas.

  • Search By Author

Content Type


Forums

  • Welcome to PHP Freaks
    • Announcements
    • Introductions
  • PHP Coding
    • PHP Coding Help
    • Regex Help
    • Third Party Scripts
    • FAQ/Code Snippet Repository
  • SQL / Database
    • MySQL Help
    • PostgreSQL
    • Microsoft SQL - MSSQL
    • Other RDBMS and SQL dialects
  • Client Side
    • HTML Help
    • CSS Help
    • Javascript Help
    • Other
  • Applications and Frameworks
    • Applications
    • Frameworks
    • Other Libraries
  • Web Server Administration
    • PHP Installation and Configuration
    • Linux
    • Apache HTTP Server
    • Microsoft IIS
    • Other Web Server Software
  • Other
    • Application Design
    • Other Programming Languages
    • Editor Help (PhpStorm, VS Code, etc)
    • Website Critique
    • Beta Test Your Stuff!
  • Freelance, Contracts, Employment, etc.
    • Services Offered
    • Job Offerings
  • General Discussion
    • PHPFreaks.com Website Feedback
    • Miscellaneous

Find results in...

Find results that contain...


Date Created

  • Start

    End

Last Updated

  • Start

    End

Filter by number of...

Joined

  • Start

    End

Group

AIM

MSN

Website URL

ICQ

Yahoo

Jabber

Skype

Location

Interests

Age

Donation Link

Found 1 result

  1. kevwood
    Hello all, I am trying to setup parameterised queries to prevent sql injection from a html from when adding data to my database. I have been doing some reading on W3schools website about it. the code i have been looking at i tried to combine with my request to insert but with no joy. here is the code i was looking at $stmt = $dbh->prepare("INSERT INTO Customers (CustomerName,Address,City) VALUES (:nam, :add, :cit)"); $stmt->bindParam(':nam', $txtNam); $stmt->bindParam(':add', $txtAdd); $stmt->bindParam(':cit', $txtCit); $stmt->execute(); and here is the code i have created from the code i was looking above <?php $name = $_POST['name']; $desc = $_POST['description']; $price = $_POST['price']; $image = $_POST['image']; $prod_type = $_POST['prod_type']; $made = $_POST['made']; $dist = $_POST['distribute']; $servername = "mysql5.000webhost.com"; $db = "a6382499_product"; $user_name = "a6382499_sonic"; $password = "phpfreaks1"; global $conn; // create connection to db try { $conn = new PDO("mysql:host=$servername;$db", $user_name, $password); // PDO error mode set to exception $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); echo "Connected to database"; } // Set veriable to catch error created catch(PDOException $error) { echo "Connection failed: " . $error->getMessage(); } try{ $stmt = $db->prepare("INSERT INTO Products(NAME, DESCRIPTION, PRICE, IMAGE, TYPE, MADE, DISTRIBUTE) VALUES (:name, :desc, :price, :image, :prod_type, :made, :dist)"); $stmt->bindParam(':name', $name); $stmt->bindParam(':desc', $desc); $stmt->bindParam(':price', $price); $stmt->bindParam(':image', $image); $stmt->bindParam(':prod_type', $prod_type); $stmt->bindParam(':made', $made); $stmt->bindParam(':dist', $dist); $stmt->exec(); $conn->exec($sql); echo "New record added"; } catch(PDOException $error) { echo $sql . "<br />" . $error->getMessage(); } ?> the error message i am getting is and line 32 in the code is $stmt = $db->prepare("INSERT INTO Products(NAME, DESCRIPTION, PRICE, IMAGE, TYPE, MADE, DISTRIBUTE) any help would be much appreciated.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.