How can change this sql queries to prepared statements?

Question

Code:

$gameID= $_GET['gid'];
$con = mysql_connect($dbserver,$dbuser,$dbpassword);
if (!$con)
{
   die('Could not connect: ' . mysql_error());
}

mysql_select_db($dbname, $con);

$sqlselect="SELECT * FROM games WHERE gameid=" . $gameID;
$result = mysql_query($sqlselect);

$row = mysql_fetch_array($result);
$gwidth =  $row['width'];
$gheight = $row['height'];

if($gwidth > 700)<br /> {
  $gwidth = $gwidth * 0.75;
  $gheight = $gheight * 0.75;
}

can anybody tell me how to secure this sql queries ?

VULNERABILITY: CLASSIC MYSQL INJECTION

FWIW, "gameID" != "games". – user2246674 Sep 04 '13 at 23:39 — user2246674, Sep 04 '13 at 23:39

score 0 · Answer 1 · answered Sep 05 '13 at 00:22

0

use mysql_escape_string or mysqli_escape_string

http://php.net/manual/en/function.mysql-escape-string.php

answered Sep 05 '13 at 00:22

user2676655

42
1

can you give me an example with the code i attached using mysql_escape_string? – Sebastian Sep 05 '13 at 00:38
-1. Not only are you recommending a deprecated extension, you are also recommending a very old and broken function in it. "*This function has been DEPRECATED as of PHP 5.3.0.*" "*This extension is deprecated as of PHP 5.5.0.*" – DCoder Sep 05 '13 at 04:23
I mentioned mysqli_escape_string as well – user2676655 Sep 05 '13 at 23:31

How can change this sql queries to prepared statements?

1 Answers1