-1

I thought my code was preventing SQL injections, but upon looking on the internet, I realized I was wrong. I was grabbing ID's by using: 

$id = mysqli_real_escape_string($_GET['id']);

I learned on the internet that using the MySQL real escape string does not actually prevent me from SQL injection. However, even when I try to use it on my server, it gives me this error:

expects exactly 2 parameters, 1 given - Line: 4

I'm not sure why I was able to use it in a testing environment (wamp), but not on here. I was wondering, what is the correct way to grab IDs and prevent SQL injection?

Achilles
  • 19
  • 4

2 Answers2

0

The correct way, is to use prepared statements. As far as your code is concerned, you are using mysqli_real_escape_string the wrong way. You need to include your mysqli connection as well.

$id = mysqli_real_escape_string($mysqli, $_GET['id']);

When using prepared statements there is no need for this.

EternalHour
  • 8,308
  • 6
  • 38
  • 57
  • Thanks. However, after I read this http://www.wenda.io/questions/2406383/how-do-i-use-getid-securely-with-pdo-query.html I learned that MySQLi doesn't prevent sql injection, is this true? – Achilles Feb 03 '15 at 06:32
  • None of the API's are going to prevent SQL injection by themselves, you have to use them properly. This is why I recommended prepared statements because the input is escaped and query is "predetermined" before the query is actually ran (if you perform the query properly). It is very important to read the official documentation so that you understand instead of reading someones opinion on the internet. – EternalHour Feb 03 '15 at 06:36
0

I would just use a prepared statement and bind the value. Like this example.

$stmt = $mysqli->prepare("DELETE FROM tbl_users WHERE name = ?");
$stmt->bind_param("s", $name);
$stmt->execute();
$stmt->close();
Zoltar
  • 232
  • 1
  • 4
  • 10