Click here to Skip to main content
14,971,029 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hello..
I have this code
$sql = "INSERT INTO tblLecturer (lec_id,lec_lastname,lec_firstname)
VALUES ('$lid','$lname','$fname')";

How can i protect this code from sql injection?

Any help plzz..
Thank u..
Posted
Updated 5-Oct-17 23:30pm
v2
Comments
[no name] 24-Aug-18 11:05am
   
Use bind_param. It binds different parameters to the query and conveys parameters to the database. You should always use prepared statements to execute sql queries. It is best to prevent php sql injection attacks.

Change you sql statement to a prepared statement like this:
SQL
$sql = "INSERT INTO tblLecturer (lec_id,lec_lastname,lec_firstname) VALUES (?, ?, ?)";
 
if (!($stmt = $mysqli->prepare($sql))) {
    die("Prepare failed: ".$mysqli->errno);
}
 
if (!$stmt->bind_param('sss', $id, $lname, $fname)){
    die("Binding parameters failed: ".$stmt->errno);
}
 
if (!$stmt->execute()) {
    die("Insert registration table failed: ".$stmt->errno);
}
   
Comments
Member 10626057 20-Mar-14 1:24am
   
i'm getting an error
Fatal error: Call to a member function prepare() on a non-object
Member 10626057 20-Mar-14 1:40am
   
the problem is in this line
if (!($stmt = $mysqli->prepare($sql))) {
Peter Leow 20-Mar-14 2:01am
   
I think you are using older version of php. see http://www.php.net/manual/en/mysqli.installation.php
Member 10626057 20-Mar-14 2:03am
   
am using XAMPP 1.7.3
Peter Leow 20-Mar-14 2:56am
   
That is way too old. Should upgrade it to the latest xampp which is v1.8... Find out from Apache Fried website http://www.apachefriends.org/index.html
Member 10626057 20-Mar-14 3:06am
   
okie..
i'll upgrade it..
   
Comments
Member 10626057 19-Mar-14 14:50pm
   
thank u.. i'll try it :)
You can use PDO[^], which is enabled by default since PHP 5.1.0:
PHP
$pdo = new PDO("connection string here", "username", "password");
$sql = $pdo->prepare("INSERT INTO tblLecturer (lec_id,lec_lastname,lec_firstname)
VALUES ( :lid , :lname, :fname )");

$sql->execute(array('lid' => $lid));
$sql->execute(array('lname' => $lname));
$sql->execute(array('fname' => $fname));

foreach ($sql as $row) {
    // iterate over your rows
}

Then, replace connection string here with your connection string and provide your username and password. If you don't know which connection string to use, have a look here: http://www.connectionstrings.com/[^]

More information here:
http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php[^]
   
v2
Comments
Member 10626057 20-Mar-14 2:17am
   
Getting error
Fatal error: Call to a member function prepare() on a non-object
line $sql = $pdo->prepare
Thomas Daniels 20-Mar-14 12:31pm
   
I have updated my answer.
Member 10626057 20-Mar-14 2:48am
   
any help plzz.. :(
Add this below code and try it
PHP
$lid=htmlentities(addslashes($_POST['id of l'])); // just add htmlentities and addslashes

$lname=htmlentities(addslashes($_POST['id of l name']));

$fname=htmlentities(addslashes($_POST['id of f name']));

// Now your data is safe to insert through a query


$sql = "INSERT INTO tblLecturer (lec_id,lec_lastname,lec_firstname)
VALUES ('$lid','$lname','$fname')" ; 

mysql_query($sql) or die(mysql_error());
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900