php – mysql avoid sql injections

This topic is empty.

Viewing 5 posts - 1 through 5 (of 5 total)

Author

Posts
August 18, 2011 at 8:35 am #10144
yarek
Participant
I have many functions like
```
updateUser($id,$username,$email)
updateMusic($id, $music)
```
etc…

Is there a generic function to avoid SQL injections ?

I just want to avoid using mysql_real_escape_string for each parameter I have
```
$username = mysql_real_escape_string($username);
$email= mysql_real_escape_string($email);
$music= mysql_real_escape_string($music);
```
August 18, 2011 at 8:37 am #10145

serges
Participant

No there isn’t, but you can parse all your inputs ( eg. GET and POST ) at beggining of the script

August 18, 2011 at 8:38 am #10148
treecoder
Participant
- ALWAYS use prepared statements
- Do NOT use mysql driver, use mysqli or PDO
August 18, 2011 at 8:39 am #10147
jacob
Participant
You should use parameterization and let the database driver handle it for you, i.e. with PDO:
```
$dbh = new PDO('mysql:dbname=testdb;host=127.0.0.1', $user, $password); 
$stmt = $dbh->prepare('INSERT INTO REGISTRY (name, value) VALUES (:name, :value)');
$stmt->bindParam(':name', $name); 
$stmt->bindParam(':value', $value); 

// insert one row 
$name = 'one'; 
$value = 1; 
$stmt->execute();
```
Code from Bobby-Tables.
August 18, 2011 at 8:39 am #10146
riad
Participant
you may use,
```
list($id,$music) = array_map('mysql_real_escape_string',array($id,$music))
```
but prepared statements rocks
Author

Posts

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.