-1

i have searched and added some prevention code but i need expert advice am i correct ?

I have made seperate file for SQL connect but i have confusion whether i should use include, require, include_onces or any other ?

mysql_connect("localhost", "userr", "pass") or die(mysql_error()) ; 
mysql_select_db("databse") or die(mysql_error()) ;

Here i have added two things UTF8 and mysql_real_escape_string.

$bad='anyone123';

$var = mysql_real_escape_string($bad);
$q = mysql_query('SET user_id UTF8');
$q = mysql_query("SELECT * FROM fbusers WHERE user_id = '$var'");
$r = mysql_fetch_array($q);

Please give me advice if how can i prevent injec. to 100% i don't want my website to be hacked :(

Thank you

user2615947
  • 155
  • 7

1 Answers1

0

You need to use prepared statements for any queries that require user input. This sends the query and the parameters seperately and acts as a layer of security to catch any malicious input.

In PDO:

$stmt = $pdo->prepare("SELECT * FROM fbusers WHERE user_id = :var");

$stmt->execute(array(':var'=>$var));

In mysqli:

$stmt = $dbConnection->prepare('SELECT * FROM fbusers WHERE user_id = ?');
$stmt->bind_param('s', $var);

$stmt->execute();

Maybe this post would help.

Community
  • 1
  • 1
Dolchio
  • 469
  • 2
  • 12