How to switch from php MySQL sql injection of vulnerable queries to MySQLi non-vulnerable queries

Question

How to switch from php MySQL sql injection of vulnerable queries to MySQLi non-vulnerable queries

im teaching MySQLi to make my site not vulnerable to SQL injection (which is now), but I get confused when I try to "translate" my old queries into MySQLi statements, so I hope you can help me with some examples, so I I can get it. Many thanks!

Site Counter Update

$sql = "UPDATE post SET counter = counter+1 WHERE id=".$tget;

Sort my comments

$info=mysql_query("SELECT * FROM `comments` WHERE idpost=" . $tget . " AND active=1 ORDER BY datetime DESC");

Save Comment

$sql = "INSERT INTO `comments` (`id`, `idpost`, `comment`, `datetime`, `author`, `active`) VALUES (NULL, '" . addslashes($_POST['idcomment']) . "', '" . addslashes($_POST['comment']) . "', NOW(), '" . addslashes($_POST['name']) . "', '1');";

If you can explain to me how to go from here to MySQLi, I can finish with other queries.

And by the way, if you ( expert ) think that there is another way to protect me from SQL injections better than MySQLi, tell me about it.

+3

php mysql mysqli

DomingoSL Jan 28 '11 at 18:13

source share

2 answers

my experencia , bind_param. .

bind_param() vars

0

SoftwareARM 28 . '11 18:26

Quassnoi · Accepted Answer · 2011-01-28T18:16:07+0000

$conn = new mysqli(…);
$sql = "UPDATE post SET counter = counter+ 1 WHERE id= ?";
$stmt = $conn->prepare($sql);
$stmt->bind_param("i", $tget);
$stmt->execute();

bind_param i, s, d b :

$stmt = $conn->prepare("INSERT INTO mytable (int_column, string_column, double_column, blob_column, another_int_column VALUES (?, ?, ?, ?, ?)");
$stmt->bind_param("isdbi", $int_val, $string_val, $double_val, $blob_val, $another_int_val);
$stmt->execute();

How to switch from php MySQL sql injection of vulnerable queries to MySQLi non-vulnerable queries

More articles: