Best method to prevent SQL injection in mysqli

Asked Feb 10 '15 at 15:22

Active Feb 10 '15 at 15:40

Viewed 34 times

I need some suggestions to prevent SQL injections. I've a mysqli query to fetch some names from database.

$con = mysqli_connect( "localhost","my_user","my_password","my_db" );

mysqli_query( $con, "SELECT names FROM my_table WHERE names LIKE '$names' AND DATE_FORMAT(DOB, '%d/%m/%Y') = '$date'" );

I want to prevent my query from SQL injection. I read some articles regarding SQL injections and saw that the following methods can be used to prevent SQL injection;

mysqli_real_escape_string
Prepared Statements

But I am confused that which method is more secure. Or any other method is available which is more secure than above methods?

How can I implement this with my sample query?

edited Feb 10 '15 at 15:40

user229044

232,980
40
330
338

asked Feb 10 '15 at 15:22

Arun Chandran

Neither is more secure. However, prepared statements are more maintainable, involve less cut & pasting of code, and are less prone to programmer error. – Andy Lester Feb 10 '15 at 15:44
1

The "Best method to prevent SQL injection in mysqli " is to use PDO. – Mawg says reinstate Monica Feb 10 '15 at 15:44
Ok Andy. Thank you for the answer. Can you please show me how can I implement this with my example? – Arun Chandran Feb 10 '15 at 15:45
Read this: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Andy Lester Feb 10 '15 at 15:57

Best method to prevent SQL injection in mysqli

0 Answers0