I am surprised to find out that this hasn't been asked
also is either enough to protect against SQL injection?
Thank you
Asked
Active
Viewed 645 times
0
-
3Err, `real_escape_string()` isn't a PHP function for starters – Phil Apr 24 '13 at 06:16
-
2@Phil Hey now, it could be a created function that does some fancy stuff in it - and it's magical because we can't see what it does. ;) – Jon Apr 24 '13 at 06:17
-
db is a mysqli. I am using real_escape_string on it @_@ does that make it mysqli_real_escape_string? – Apr 24 '13 at 06:24
-
1@amiranthist Yes, but you don't specify scope, which would be `MySQLi::real_escape_string()`, otherwise it would be known as `mysqli_real_escape_string()` ^^ – Jon Apr 24 '13 at 06:26
1 Answers
1
I'm guessing you're using mysql or mysqli, you should switch over to PDO and use prepare statements instead of escaping it.
As requested. You should have a look at this site.
<?php
$username = $_POST['username'];
$password = $_POST['password'];
$STH = $DBH->prepare("INSERT INTO users (username, password) values (:username, :password)");
$STH->bindParam(':username', $username);
$STH->bindParam(':password', $password);
$STH->execute();
?>
Alexis Tyler
- 1,394
- 6
- 30
- 48