Preventing SQL Injections Via $_Get

Question

I have a code on my website that calls upon the pin of a specific row and than echos data from that row. I need to know how i can prevent an SQL injection using the code.

Here it is:

<?php
if (isset($_GET['pin']))
{
$con=mysqli_connect("server.com","username","password","database");
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
$result = mysqli_query($con,"SELECT * FROM beta WHERE pin = " . $_GET['pin']);
while($row = mysqli_fetch_array($result))
  {
  echo "<table width='600px'><td width='200px'><font face='arial' size='2px'>" . $row['name_pin'] . " " . $row['pin'] . "</font></td><td width='200px'><font face='arial' size='2px'>" . $row['name_info'] . "" . $row['info'] . "</font></td><td width='200px'><font face='arial' size='2px'>" . $row['name_stat'] . " " . $row['stat'] . "</font></td></table>";
  echo "<br>";
  }
mysqli_close($con);
}
?>

Thanks for all the help in advance! P.S.: The more informational you are the better.

Did you look at any of the **Related** questions listed on the right? — Barmar, May 18 '13 at 05:33

score 4 · Answer 1 · answered May 18 '13 at 05:35

4

parameterized the value,

$pin = $_GET['pin'];
$stmt = $dbConnection->prepare('SELECT * FROM beta WHERE pin =  ?');
$stmt->bind_param('s', $pin);
$stmt->execute();

More on this link...

answered May 18 '13 at 05:35

John Woo

258,903
69
498
492

score 0 · Accepted Answer · answered May 18 '13 at 05:35

0

<?php
if (isset($_GET['pin'])){
$con=mysqli_connect("server.com","username","password","database");
$pin= mysqli_real_escape_string($con, $_GET['pin']);
//rest of code,

http://php.net/manual/en/mysqli.real-escape-string.php

answered May 18 '13 at 05:35

web2students.com

307
2
16

Preventing SQL Injections Via $_Get

2 Answers2