4

Disclaimer

Please excuse my ignorance, I've written C# for more than 12 years now and I'm quite comfortable with the .NET framework and OO programming, and I've got a good background in enterprise applications, but this is my first bout with PHP.

Question

Alright, so I'm trying to figure out how to issue a prepare using the mysql_query function and I'm not able to put two and two together. Right now I connect like this:

mysql_connect('xxx.x.x.x:xxxx', 'x', 'x');
mysql_select_db('x');

And that is succeeding.

Now, I want to insert some data and so I'm looking at the mysql_query function and just can't figure out how to send a parameterized query to prevent SQL Injection. My code currently looks like this:

mysql_query("INSERT INTO users (email, password, ...)
    VALUES (:email, :password, :...)

But how do I pass the array of values to it?

Additional Question

If I'm using mysql_real_escape_string on every value that I receive via user input, do I need to worry about issuing parameterized queries?

Community
  • 1
  • 1
Mike Perrenoud
  • 66,820
  • 29
  • 157
  • 232
  • 6
    Rule # 0, you don't use `mysql_` functions because they're [being deprecated](http://www.deprecatedphp.com/mysql). You can use `mysqli_` or `PDO` – Kermit Dec 08 '12 at 01:41
  • @njk, now that is some good information! Love the Blog BTW, bookmarked! Now, make that an answer and I'll mark it as such. – Mike Perrenoud Dec 08 '12 at 01:52

2 Answers2

3

You are best off using PDO (or mysqli) to do this. However, you will find examples using PDO, mysqli, adodb and other on the bobby-tables website. I suggest you read the PDO doco for bindValue(), which will get you what you need.

webaware
  • 2,795
  • 2
  • 30
  • 37
2

As stated in my comment, mysql_ functions are being deprecated. You should use mysqli_ or PDO which allows for parameter binding to prevent against SQL injection.

Kermit
  • 33,827
  • 13
  • 85
  • 121