-5

In PHP 4 you would enter a form to a MySQL db like this:

<form  action="script.php" method="post">
 <fieldset>
  <input id="name" name="name" type="text" placeholder="Insert your name" />
  <input type="submit" value="Opslaan" />           
 </fieldset>
</form>​

script.php:

$name= $_POST['name'];  
$name = stripslashes($name);  
$name = mysql_real_escape_string($name);

mysql_connect($host,$username,$password);
@mysql_select_db($database) or die( "Unable to select database");
$query = "INSERT INTO names (id, name) VALUES ('','$name')";
mysql_query($query);
mysql_close();

Now PHP 5 is out, what is the correct notation to put this form in a MySQL db by the latest standards using PDO?

SteAp
  • 11,853
  • 10
  • 53
  • 88
atMaarten
  • 93
  • 3
  • 12
  • 3
    Look up the manual, attempt something. When you encounter an error, report back to SO and we will help. You will not learn if we give you the code – Daryl Gill Aug 30 '13 at 23:51
  • With minimal googling effort you can get the complete answer to your question - php.net is your ultimate resource to all php functions – Exwolf Aug 30 '13 at 23:51
  • @PeeHaa OP is asking for code conversion, not SQL Injection prevention – Daryl Gill Aug 30 '13 at 23:52
  • 1
    @DarylGill If you would have taken the trouble of looking at the actual answer over there you should see that it perfectly answers OP. Sure it doesn't convert 1:1 OPs code. But that's what rentacoder is for – PeeHaa Aug 30 '13 at 23:53
  • It's questions like these that turns one against the other. (Then, we wait for the "you know what" to hit the fan). – Funk Forty Niner Aug 30 '13 at 23:55
  • You're looking for the [PDO tutorial for MySQL developers](http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers) – Michael Berkowski Aug 30 '13 at 23:59

2 Answers2

1

This is more or less the simplest way to run an update using PDO:

// database connection
$conn = new PDO("mysql:host=localhost;dbname=MyDBName",aDBUser,aDBPassword);

// Disable emulated prepared statements 
// PDO will **TRY** to use real (non-emaulated) prepared statements
$conn->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

// Some sample data
$aTitle = 'PHP Security';
$anAuthor = 'John Doe';

// Prepare a statement with some placeholders prefixed by ':'
$sql = "INSERT "
     . "  INTO books "
     . "       ( title, author   ) "
     . "VALUES ( :title, :author )"
     ;
$q = $conn->prepare($sql);

// Execute the prepared statement and replace placeholders by values
$q->execute(array(':author' => $anAuthor,
                  ':title'  => $aTitle
                 )
           );

Additionally, you might wish to review OWASP's PHP Security Cheat Sheet.

Security consideration

If the DB-driver isn't able to use native prepared statements, it falls back to emulated prepared statements (which might be less secure). From the docs:

PDO::ATTR_EMULATE_PREPARES Enables or disables emulation of prepared statements. Some drivers do not support native prepared statements or have limited support for them. Use this setting to force PDO to either always emulate prepared statements (if TRUE), or to try to use native prepared statements (if FALSE). It will always fall back to emulating the prepared statement if the driver cannot successfully prepare the current query. Requires bool.

SteAp
  • 11,853
  • 10
  • 53
  • 88
-1

Try the following:

$mysqlconn=  new PDO('mysql:dbname=' .$database . ';host=' . $host,  $username,  $password);
$query = "INSERT INTO names (id, name) VALUES (:id,:name)";     
$statement=$mysqlconn->prepare($query);
$statement->execute(array(':id'=>null,':name'=>$name));

This is the core of that logic ported to PDO. You'll have to fill the missing parts.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
ffflabs
  • 17,166
  • 5
  • 51
  • 77