Jump to content

MySQL injection protection

undertaker

By undertaker
in PHP Coding Help

 Share

Recommended Posts

cssfreakie Regular Member

cssfreakie

Posted
Posted

Wow, I copied your question into Google and got thousands of relevant results, imagine that.

are you serious? i got this:

149m7gk.jpg

 

maybe i made a typo.

 

 

 

*sorry for trolling this just asked for it  :facewall:

 

dougjohnson Newbie

dougjohnson

Posted
Posted

The best way to protect against MySQL injections in php is to use "Prepared" statements.  You don't need to validate the user input since it is completely separated from the mysql statement.

 

Example:

 

$connection = new mysqli('server', 'username', 'password', 'database');
$result = $connection->prepare("SELECT products, usertype, special_pricing_user, special_pricing, pcconly FROM users WHERE username = ?");
$result->bind_param("s", $username);
$result->execute();
$result->bind_result($userproducts, $usertype, $special_pricing_user, $special_pricing, $pcconly);
while ($row = $result->fetch()) {
//
}

 

Bl4ckMaj1k Member

Bl4ckMaj1k

Posted
Posted

The best way to protect against MySQL injections in php is to use "Prepared" statements.  You don't need to validate the user input since it is completely separated from the mysql statement.

 

Example:

 

$connection = new mysqli('server', 'username', 'password', 'database');
$result = $connection->prepare("SELECT products, usertype, special_pricing_user, special_pricing, pcconly FROM users WHERE username = ?");
$result->bind_param("s", $username);
$result->execute();
$result->bind_result($userproducts, $usertype, $special_pricing_user, $special_pricing, $pcconly);
while ($row = $result->fetch()) {
//
}

 

 

For us Noobs, can someone please break down what's going on in this form?? (in Lamens terms?)

blew Newbie

blew

Posted
Posted

The best way to protect against MySQL injections in php is to use "Prepared" statements.  You don't need to validate the user input since it is completely separated from the mysql statement.

 

Example:

 

$connection = new mysqli('server', 'username', 'password', 'database');
$result = $connection->prepare("SELECT products, usertype, special_pricing_user, special_pricing, pcconly FROM users WHERE username = ?");
$result->bind_param("s", $username);
$result->execute();
$result->bind_result($userproducts, $usertype, $special_pricing_user, $special_pricing, $pcconly);
while ($row = $result->fetch()) {
//
}

 

 

For us Noobs, can someone please break down what's going on in this form?? (in Lamens terms?)

 

Prepared Statements is just for PDO connections

 

its better to use it than connecting straight to mysql

in the beginning, its harder to use than mysql, but then its really easy, and safer

 

http://www.php.net/manual/en/book.pdo.php for more informations

google -> PHP PDO ftw

Maq Prolific Member

Maq

Posted
Posted

In addition to the above:

// Create a new mysqli object which is an interface to be specific
$connection = new mysqli('server', 'username', 'password', 'database');
// Invoke the prepare() method with the 'prepared' query string
$result = $connection->prepare("SELECT products, usertype, special_pricing_user, special_pricing, pcconly FROM users WHERE username = ?");
// Bind $username to the '?' value field that you see above
$result->bind_param("s", $username);
// Execute the query 
$result->execute();
// Fetch the results into the $result array
$result->bind_result($userproducts, $usertype, $special_pricing_user, $special_pricing, $pcconly);
// Loop through the results
while ($row = $result->fetch()) {

//
}

If that's too layman for you, then ask for specifics.

KevinM1 Advanced Member

KevinM1

Posted
Posted

The best way to protect against MySQL injections in php is to use "Prepared" statements.  You don't need to validate the user input since it is completely separated from the mysql statement.

 

Example:

 

$connection = new mysqli('server', 'username', 'password', 'database');
$result = $connection->prepare("SELECT products, usertype, special_pricing_user, special_pricing, pcconly FROM users WHERE username = ?");
$result->bind_param("s", $username);
$result->execute();
$result->bind_result($userproducts, $usertype, $special_pricing_user, $special_pricing, $pcconly);
while ($row = $result->fetch()) {
//
}

 

 

For us Noobs, can someone please break down what's going on in this form?? (in Lamens terms?)

 

Prepared Statements is just for PDO connections

 

its better to use it than connecting straight to mysql

in the beginning, its harder to use than mysql, but then its really easy, and safer

 

http://www.php.net/manual/en/book.pdo.php for more informations

google -> PHP PDO ftw

 

And for MySQLi, which is what the code example shows....

dougjohnson Newbie

dougjohnson

Posted
Posted

Take a look at this: http://php.net/manual/en/mysqli.prepare.php

 

What's going on here is the ?'s are place holders for the actual user variable input.  The bind_param "maps" the input to the corresponding "?" placeholder.  The binding "s" is for alphanumeric input, "i" would be for numeric and there are a couple other types see the link above.  The bind_result loads up the resulting values from the prepared mysql statement.  At first all of this is a pain, but after a while it's ok and you don't have to worry about injections.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.