-1

My database recently suffered from a sql injection attack, mostly because I am relatively new to programming and did not know about something like that. I have been trying to learn how to prevent them, but I cannot figure out how for this script. I do have another type of script that I successfully implemented though. How can I prevent an sql injection attack using this script?

<?php

$autor = $_GET["multi"];
$autop = $_GET["multis"];

$sql = "UPDATE autoj SET autob = '$autop' WHERE autoq = '$autor'";

$hd = "something";
$dd =  $_GET['something'];
$ud = "something";
$pd = "something";

$mysqli = new mysqli($hd, $ud, $pd, $dd); 
if (mysqli_connect_errno()) {
   printf("Connect failed: %s\n", mysqli_connect_error());
   exit();
}

$result = $mysqli->query($sql);
if ($result) {
....
Boog Tracki
  • 15
  • 4

3 Answers3

1

How can I prevent an sql injection attack using this script?

Exactly the same way as other one

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
0

Try this:

$hd = "something";
$dd = "PUT SOMETHING HERE";
$ud = "something";
$pd = "something";

$mysqli = new mysqli($hd, $ud, $pd, $dd); 
if (mysqli_connect_errno()) {
   printf("Connect failed: %s\n", mysqli_connect_error());
   exit();
}

$autor = $_GET["multi"];
$autop = $_GET["multis"];
$autor = $mysqli->real_escape_string($autor);
$autop = $mysqli->real_escape_string($autop);

$sql = "UPDATE autoj SET autob = '$autop' WHERE autoq = '$autor'";

Also, on line two, I see you used $_GET['something'] to select a database. Don't.

Dave Chen
  • 10,887
  • 8
  • 39
  • 67
-1

use mysqli_real_escape_string http://php.net/manual/en/mysqli.real-escape-string.php

Biswajit Maji
  • 869
  • 13
  • 23