Click here to Skip to main content
14,971,029 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
I have this code
$sql = "INSERT INTO tblLecturer (lec_id,lec_lastname,lec_firstname)
VALUES ('$lid','$lname','$fname')";

How can i protect this code from sql injection?

Any help plzz..
Thank u..
Updated 5-Oct-17 23:30pm
[no name] 24-Aug-18 11:05am
Use bind_param. It binds different parameters to the query and conveys parameters to the database. You should always use prepared statements to execute sql queries. It is best to prevent php sql injection attacks.

Change you sql statement to a prepared statement like this:
$sql = "INSERT INTO tblLecturer (lec_id,lec_lastname,lec_firstname) VALUES (?, ?, ?)";
if (!($stmt = $mysqli->prepare($sql))) {
    die("Prepare failed: ".$mysqli->errno);
if (!$stmt->bind_param('sss', $id, $lname, $fname)){
    die("Binding parameters failed: ".$stmt->errno);
if (!$stmt->execute()) {
    die("Insert registration table failed: ".$stmt->errno);
Member 10626057 20-Mar-14 1:24am
i'm getting an error
Fatal error: Call to a member function prepare() on a non-object
Member 10626057 20-Mar-14 1:40am
the problem is in this line
if (!($stmt = $mysqli->prepare($sql))) {
Peter Leow 20-Mar-14 2:01am
I think you are using older version of php. see
Member 10626057 20-Mar-14 2:03am
am using XAMPP 1.7.3
Peter Leow 20-Mar-14 2:56am
That is way too old. Should upgrade it to the latest xampp which is v1.8... Find out from Apache Fried website
Member 10626057 20-Mar-14 3:06am
i'll upgrade it..
Member 10626057 19-Mar-14 14:50pm
thank u.. i'll try it :)
You can use PDO[^], which is enabled by default since PHP 5.1.0:
$pdo = new PDO("connection string here", "username", "password");
$sql = $pdo->prepare("INSERT INTO tblLecturer (lec_id,lec_lastname,lec_firstname)
VALUES ( :lid , :lname, :fname )");

$sql->execute(array('lid' => $lid));
$sql->execute(array('lname' => $lname));
$sql->execute(array('fname' => $fname));

foreach ($sql as $row) {
    // iterate over your rows

Then, replace connection string here with your connection string and provide your username and password. If you don't know which connection string to use, have a look here:[^]

More information here:[^]
Member 10626057 20-Mar-14 2:17am
Getting error
Fatal error: Call to a member function prepare() on a non-object
line $sql = $pdo->prepare
Thomas Daniels 20-Mar-14 12:31pm
I have updated my answer.
Member 10626057 20-Mar-14 2:48am
any help plzz.. :(
Add this below code and try it
$lid=htmlentities(addslashes($_POST['id of l'])); // just add htmlentities and addslashes

$lname=htmlentities(addslashes($_POST['id of l name']));

$fname=htmlentities(addslashes($_POST['id of f name']));

// Now your data is safe to insert through a query

$sql = "INSERT INTO tblLecturer (lec_id,lec_lastname,lec_firstname)
VALUES ('$lid','$lname','$fname')" ; 

mysql_query($sql) or die(mysql_error());

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900