How should I "sanitize" my data inputs to fight against SQL injections?

Question

I've been working on a project for a website idea, but I noticed that I can actually perform SQL injections on my site. This isn't good, because if I can, then anyone can. What's the "best" way to sanitize data inputs for a php site?

<?php
$servername = "localhost";
$username = "myusername";
$password = "mypassword";
$dbname = "users";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 

$fname = $_POST['fname'];
$lname = $_POST['lname'];
$pnum = $_POST['pnum'];
$cc = $_POST['cc'];
$username = $_POST['username'];
$password = $_POST['password'];

$sql = "INSERT INTO Users (fname, lname, cc, pnum, username, password) VALUES ('$fname', '$lname', '$cc', '$pnum', '$username', '$password')";
$result = $conn->multi_query($sql);

if ($result->num_rows > 0) {
    // output data of each row
    while($row = $result->fetch_assoc()) {
        echo "id: " . $row["id"]. " - Name: " . $row["firstname"]. " " . $row["lastname"]. "<br>";
    }
} else {
    header('Location: registered.html');
}

$conn->close();
?>

score 0 · Answer 1 · answered Apr 18 '15 at 15:19

0

Use prepared statements, which are designed to prevent injection.

http://php.net/manual/en/pdo.prepared-statements.php

answered Apr 18 '15 at 15:19

mattm

5,851
11
47
77

How should I "sanitize" my data inputs to fight against SQL injections?

1 Answers1