PHP : How to Prevent Sql Injection For this Code

Question

I am New to development.I have created an simple html 5 game for facebook .I use post Request to update.php to store score in database.

Below is my code

<? 
include 'config.php';
mysql_connect(localhost,$user,$password);
$id = mysql_real_escape_string($_POST['id']);
$score = mysql_real_escape_string($_POST['score']);
@mysql_select_db($database) or die( "Unable to select database");
$query = "UPDATE heli SET score = '$score' WHERE app = '$id'";
echo $query;
$result=mysql_query($query);
mysql_close();
?>

Many Complain that my code is vulnerable to Sql injection.Any one Suggest good code that is Secure.Thanks..

`mysql` extension is *deprecated*. Use `mysqli` or `PDO` instead. — J0HN, Feb 22 '13 at 12:28
You are using ´mysql_real_escape_string´, so your code should be safe against SQL-injections. But you should consider moving to ´MySQLi´ or ´PDO´, as ´MySQL´ is deprecated. — Tjoene, Feb 22 '13 at 12:28
@Tjoene not totally. http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string — John Woo, Feb 22 '13 at 12:29

score 4 · Answer 1 · edited May 23 '17 at 12:14

4

use PDO or MySQLi Extension on PHP. Please read the article below,

edited May 23 '17 at 12:14

Community

1
1

answered Feb 22 '13 at 12:27

John Woo

258,903
69
498
492

score 1 · Accepted Answer · edited May 23 '17 at 12:29

1

No, your current code is not vulnerable. However your other code can be.
As long as you're taking mysql_real_escape_string() as a sort of "universal injection preventor", you are in danger.

Here is an answer with explanations I gave to similar question

edited May 23 '17 at 12:29

Community

1
1

answered Feb 22 '13 at 12:31

Your Common Sense

156,878
40
214
345

PHP : How to Prevent Sql Injection For this Code

2 Answers2