top button
Flag Notify
Site Registration

Prevent mysql injection in Php before submitted to the database?

0 votes
318 views
Prevent mysql injection in Php before submitted to the database?
posted Aug 8, 2014 by Vrije Mani Upadhyay

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

0 votes
 
Best answer

Use either PDO or Mysqli with the binding syntax. This alone will prevent most injection attacks.

Example:

 $stmt = $db->prepare(
                'UPDATE users ' .
                'SET userEmail=:email, userSalt=:salt, userPass=:pass ' .
                'WHERE userId=:userId LIMIT 1' );
    $stmt->bindParam( ':email',  $this->_email,    \PDO::PARAM_STR );
    $stmt->bindParam( ':salt',   $this->_salt,     \PDO::PARAM_STR );
    $stmt->bindParam( ':pass',   $this->_password, \PDO::PARAM_STR );
    $stmt->bindParam( ':userId', $this->_id,       \PDO::PARAM_INT );
    $stmt->execute();

In the above example, trying to escape the :email binding to insert a DROP TABLE won't work.

You still need to be careful with user-provided data. For instance, if the user provides a $docId for a get document query, make sure they're authorized for the document being requested. (And not just guessing a $docId belonging to some other user).

answer Aug 9, 2014 by Rahul Singh
Similar Questions
0 votes

I have a client where their next auto-increment number just jumped from 2300 to ********** for reasons not understood. They want it set back.

Options such as dropping the primary key and rebuilding the index is NOT possible -- this is a relational table thing. So, is there a way (programmatically) to set the next number in an auto-increment?

Something like:

alter table abc auto_increment = 2301;

Any ideas of why this happened?

0 votes

I wish to delete records in my database that is older than 3 months.

$todays_date = date('Y-m-d');
$old_records_to_delete = ???

if($old_records_to_delete)
{
include(connect.php);
$sql = "DELETE FROM table WHERE date >= '$old_records_to_delete'";
mysql_query($sql, $connect_db) or die(mysql_error());
}

+1 vote

I have some problem
I have store the data in the database without encrypt but i am view the data encrypt method after 1 day and doesn't know the details.

I am using php and mysql, Could the experts please comment on this, and offer some advice?

...