I want to secure my mysql connection and php page

Question

I want security against hackers for my mysql connection in a php page.

I have database user's password different from the root password. And I've used this query:

function make_safe2($safe) 
{
$safe = strip_tags(mysqli_real_escape_string(trim($_POST['bname'] . $_POST['why'] . $_POST['email'] . $_POST['submit'])));
return $safe; 
}

Is there any more ways by which I can assure security against SQL injections and other hacking methods. I don't have any login page. I have a form with bname, why and email fields and a submit button. Does submit button needs escape string? :P Silly question I guess.

A complete syntax for other ways of preventions from SQL injections and other methods will be appreciated. :)

[The Great Escapism (Or: What You Need To Know To Work With Text Within Text)](http://kunststube.net/escapism/) — deceze, Mar 10 '13 at 15:37

score 2 · Answer 1 · edited May 23 '17 at 12:04

2

You should use prepared statements with binded parameters.

$stmt = mysqli_prepare($link, "INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
mysqli_stmt_bind_param($stmt, 'sssd', $code, $language, $official, $percent);

$code = 'DEU';
$language = 'Bavarian';
$official = "F";
$percent = 11.2;

/* execute prepared statement */
mysqli_stmt_execute($stmt);

See the documentation

This answer is a complete guide to understanding how to prevent against SQL injection.

edited May 23 '17 at 12:04

Community

1
1

answered Mar 10 '13 at 15:35

Kermit

33,827
13
85
121

Let me go through it. :) Thanks for the answer. – Mitesh Mynee Mar 10 '13 at 15:46
If I use this syntax: $stmt = $dbConnection->prepare('My SQL Query goes here right?'); $stmt->bind_param('s', $name); what is 's' and $name here? – Mitesh Mynee Mar 10 '13 at 15:53
`s` indicates a string, `$name` refers to a variable. – Kermit Mar 10 '13 at 17:02

I want to secure my mysql connection and php page

1 Answers1