How to prevent sql injection in PHP?

Question

0.00/5 (No votes)

See more:

Hello..
I have this code
$sql = "INSERT INTO tblLecturer (lec_id,lec_lastname,lec_firstname)
VALUES ('$lid','$lname','$fname')";

How can i protect this code from sql injection?

Any help plzz..
Thank u..

Posted 19-Mar-14 8:41am

Member 10626057

Updated 5-Oct-17 23:30pm

v2

Add a Solution

Comments

[no name] 24-Aug-18 11:05am

Use bind_param. It binds different parameters to the query and conveys parameters to the database. You should always use prepared statements to execute sql queries. It is best to prevent php sql injection attacks.

4 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Peter Leow · Answer 1 · 2014-03-19T17:29:00

Solution 3

Change you sql statement to a prepared statement like this:

SQL

$sql = "INSERT INTO tblLecturer (lec_id,lec_lastname,lec_firstname) VALUES (?, ?, ?)";
 
if (!($stmt = $mysqli->prepare($sql))) {
    die("Prepare failed: ".$mysqli->errno);
}
 
if (!$stmt->bind_param('sss', $id, $lname, $fname)){
    die("Binding parameters failed: ".$stmt->errno);
}
 
if (!$stmt->execute()) {
    die("Insert registration table failed: ".$stmt->errno);
}

Posted 19-Mar-14 17:29pm

Peter Leow

Comments

Member 10626057 20-Mar-14 1:24am

i'm getting an error
Fatal error: Call to a member function prepare() on a non-object

Member 10626057 20-Mar-14 1:40am

the problem is in this line
if (!($stmt = $mysqli->prepare($sql))) {

Peter Leow 20-Mar-14 2:01am

I think you are using older version of php. see http://www.php.net/manual/en/mysqli.installation.php

Member 10626057 20-Mar-14 2:03am

am using XAMPP 1.7.3

Peter Leow 20-Mar-14 2:56am

That is way too old. Should upgrade it to the latest xampp which is v1.8... Find out from Apache Fried website http://www.apachefriends.org/index.html

Member 10626057 20-Mar-14 3:06am

okie..
i'll upgrade it..

Krunal Rohit · Answer 2 · 2014-03-19T08:46:00

Solution 1

http://www.veracode.com/security/sql-injection[^]
http://www.wikihow.com/Prevent-SQL-Injection-in-PHP[^]

-KR

Posted 19-Mar-14 8:46am

Krunal Rohit

Comments

Member 10626057 19-Mar-14 14:50pm

thank u.. i'll try it :)

Thomas Daniels · Answer 3 · 2014-03-19T08:59:00

You can use PDO[^], which is enabled by default since PHP 5.1.0:

PHP

$pdo = new PDO("connection string here", "username", "password");
$sql = $pdo->prepare("INSERT INTO tblLecturer (lec_id,lec_lastname,lec_firstname)
VALUES ( :lid , :lname, :fname )");

$sql->execute(array('lid' => $lid));
$sql->execute(array('lname' => $lname));
$sql->execute(array('fname' => $fname));

foreach ($sql as $row) {
    // iterate over your rows
}

Then, replace connection string here with your connection string and provide your username and password. If you don't know which connection string to use, have a look here: http://www.connectionstrings.com/[^]

More information here:
http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php[^]

kishore@cse · Answer 4 · 2014-03-23T23:25:00

Add this below code and try it

PHP

$lid=htmlentities(addslashes($_POST['id of l'])); // just add htmlentities and addslashes

$lname=htmlentities(addslashes($_POST['id of l name']));

$fname=htmlentities(addslashes($_POST['id of f name']));

// Now your data is safe to insert through a query


$sql = "INSERT INTO tblLecturer (lec_id,lec_lastname,lec_firstname)
VALUES ('$lid','$lname','$fname')" ; 

mysql_query($sql) or die(mysql_error());

How to prevent sql injection in PHP?

4 solutions

Solution 3

Solution 1

Solution 2

Solution 4

Add your solution here

Preview 0