Post value prevent sql injection

Question

I want to ask if I can prevent sql injection with this code?

<?php
$mysqli = new mysqli("localhost", "root", "", "lists");  
    if (isset($_POST['main'])) {
    if (isset($_POST['sub'])) {
    $main = $mysqli->real_escape_string($_POST["main"]);
    $sub = $mysqli->real_escape_string($_POST["sub"]);

    query . . . .

    }
    }
?>

http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — Funk Forty Niner, Jan 02 '14 at 03:00
[`mysqli::prepare()`](http://www.php.net/manual/en/mysqli.prepare.php). — Ja͢ck, Jan 02 '14 at 03:01

score 1 · Answer 1 · edited May 23 '17 at 12:19

1

Duplicate of: How can I prevent SQL injection in PHP?

Use prepared statements and parameterized queries. You can do it like this:

$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name=? and age=?');
$stmt->bind_param('si', $_POST['name'], $_POST['age']);
$stmt->execute();

The 'si' means string and integer, each letter to every param corresponding to every '?'. Further info can be found here: http://www.php.net/manual/en/mysqli-stmt.bind-param.php

$stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
$stmt->bind_param('sssd', $code, $language, $official, $percent);

Regards.

edited May 23 '17 at 12:19

Community

1
1

answered Jan 02 '14 at 03:08

João Pinho

3,725
1
19
29

1

But how in two post values? – user3097736 Jan 02 '14 at 03:23
@user3097736 updated answer, give it a look at my link first example. $code goes to first ?, $language goes to second ?... – João Pinho Jan 02 '14 at 03:38

Post value prevent sql injection

1 Answers1