- This topic is empty.
Viewing 5 posts - 1 through 5 (of 5 total)
-
AuthorPosts
-
August 18, 2011 at 8:35 am #10144yarekParticipant
I have many functions like
updateUser($id,$username,$email) updateMusic($id, $music)
etc…
Is there a generic function to avoid SQL injections ?
I just want to avoid using mysql_real_escape_string for each parameter I have
$username = mysql_real_escape_string($username); $email= mysql_real_escape_string($email); $music= mysql_real_escape_string($music);
August 18, 2011 at 8:37 am #10145sergesParticipantNo there isn’t, but you can parse all your inputs ( eg. GET and POST ) at beggining of the script
August 18, 2011 at 8:38 am #10148treecoderParticipant-
ALWAYS use prepared statements
-
Do NOT use
mysql
driver, usemysqli
orPDO
August 18, 2011 at 8:39 am #10147jacobParticipantYou should use parameterization and let the database driver handle it for you, i.e. with PDO:
$dbh = new PDO('mysql:dbname=testdb;host=127.0.0.1', $user, $password); $stmt = $dbh->prepare('INSERT INTO REGISTRY (name, value) VALUES (:name, :value)'); $stmt->bindParam(':name', $name); $stmt->bindParam(':value', $value); // insert one row $name = 'one'; $value = 1; $stmt->execute();
Code from Bobby-Tables.
August 18, 2011 at 8:39 am #10146riadParticipantyou may use,
list($id,$music) = array_map('mysql_real_escape_string',array($id,$music))
but prepared statements rocks
-
-
AuthorPosts
Viewing 5 posts - 1 through 5 (of 5 total)
- You must be logged in to reply to this topic.