-1

I have made an edit form for my users, now when I update it needs to be secure against MySQL injection.

Right now I have this query

$sqledit = mysql_query("UPDATE **** SET titel = '$title', content = '$content' WHERE `ID` = ".mysql_real_escape_string($_POST['ID']),mysql_real_escape_string($_POST['txttitle'])) or die (mysql_error());

NOTE: $content is an ckeditor with has build in protection methods against MySQL injection?

Still when I put something like: ééáá",''øøí in txttitle it gives the following error.

mysql_query(): supplied argument is not a valid MySQL-Link resource

user2022298
  • 53
  • 2
  • 10
  • 1
    I do recommend to use a ORM System. For PHP this could be Doctrine or Propel. These Systems allow much easier data persistence and usually provide methods against SQL-Injection. – Benny Nov 06 '13 at 09:47
  • 1
    Use prepared statements and an up to date mysql extension like `PDO` or `mysqli` the `mysql_` functions are deprecated and get removed with one of the next PHP versions. – TiMESPLiNTER Nov 06 '13 at 09:47
  • That error has nothing to do with the actual data, but with you giving a second parameter to the function that makes no sense. – CBroe Nov 06 '13 at 09:49
  • @TiMESPLiNTER prepared statement is not a must. – Raptor Nov 06 '13 at 09:49
  • No it's not but it's highly recommended. – TiMESPLiNTER Nov 06 '13 at 10:00
  • @TiMESPLiNTER wrong concept; in fact it's the reverse. Prepared statement has negative impact on speed. Avoid using it unless you don't care about speed / optimization. – Raptor Nov 06 '13 at 10:08
  • Yes but he has to deal with user input and for user input prepared statements are highly recommended imho. – TiMESPLiNTER Nov 06 '13 at 10:21

1 Answers1

0

SQL Injection is not the cause of your error. However, you misuse the mysql_query() function. The signature is:

mysql_query ( string $query , resource $link_identifier = NULL )

but you provide a non-link-identifier in your 2nd parameter, which causes the error.

Note: Stop using mysql_* functions as they are deprecated. Switch to MySQLi or PDO instead.

Raptor
  • 53,206
  • 45
  • 230
  • 366
  • Thank you for pointing that out, due to the many edits I copied the wrong query here. I will search some more information about mySQLi and PDO. Thank you! – user2022298 Nov 06 '13 at 09:59
  • if you find the answer useful, please accept the answer & upvote. thanks! – Raptor Nov 06 '13 at 10:07