Prevent SQL injunction for select statement

Asked Jul 28 '15 at 07:03

Active Jul 28 '15 at 07:03

Viewed 31 times

i am doing a project in php i want to know is my code is preventing SQL injunction

$pageid=mysql_real_escape_string($page);        
$query = "SELECT * FROM distdb WHERE BANK_ID = ".$pageid;

asked Jul 28 '15 at 07:03

Asesha George

1

Change to mysqli or pdo and decent host should have them. – Mihai Jul 28 '15 at 07:03
3

Using prepared statements will prventing for SQL injection – Jens Jul 28 '15 at 07:04
GRC thank you for making it duplicate please read my question before you mark it dose this mysql_real_escape_string($page); prevent SQL injection – Asesha George Jul 28 '15 at 07:11
Using `_real_escape_string` would work if the interpolated/appended value *was put in quotes*. Which your example isn't doing. That particular escaping function is only meant for **strings** - as the name says. Using it for numeric values *but forgoing quoting* is why this isn't sufficient. -- And no. You're not entitled to a custom answer/explanation or disputing the duplicate status for things that come up fiddy times a day. Neither is your insistence on the outdated mysql_ API relevant. – mario Jul 28 '15 at 07:12
ok thank you jens and mario i better to change to pdo so that i can use prepared statement thank you..... – Asesha George Jul 28 '15 at 07:29

0 Answers0