How to protect INSERT input from SQLi with MySQLi?

Question

I have this code on a contact page of my site:

$insert = $mysqli->prepare("INSERT INTO `contact` (`Name`, `Email`, `Subject`, `Priority`, `DisplayName`, `Message`, `IP`) VALUES (?,?,?,?,?,?,?)");
$insert->bind_param('sssisss', $_POST['name'], 
$_POST['email'],
$_POST['subject'],
$_POST['priority'],
$_POST['dispname'],
$_POST['query'],
$ip);

$insert->execute();
$newId = $insert->insert_id;
$insert->close();

It works fine, however, is my prepare statement enough to protect against SQLi attacks? This is my first project since moving over from mysql_* (I know, bad of me, but now I'm making the change) and I am wondering if I am meant to escape anything else before inserting these values?

You can refer this http://stackoverflow.com/questions/2874636/escape-arguments-for-pdo-statements — Mr. Alien, Dec 27 '13 at 07:55

score 1 · Accepted Answer · edited May 23 '17 at 12:28

1

Yes you are pretty safe as you are using PreparedStatements and you don't have to worry about escaping as it is done automatically.

If you want to dive into detail about this. See here

edited May 23 '17 at 12:28

Community

1
1

answered Dec 27 '13 at 07:53

Shankar Narayana Damodaran

68,075
43
96
126

1

@Mr.Alien, What else do you expect ? – Shankar Narayana Damodaran Dec 27 '13 at 07:55

How to protect INSERT input from SQLi with MySQLi?

1 Answers1