mysql_query("INSERT INTO user_badges (user_id, badge_id)
VALUES ('". $_SESSION['user']['id'] ."',VIP)");
How can I make this safe?
Asked
Active
Viewed 29 times
-2
-
Anyone know something about this? – IbraDigga Jan 09 '16 at 18:49
-
1Yes, it absolutely is. Use *Prepared Statements* – juergen d Jan 09 '16 at 18:50
-
Use prepared statement instead to avoid sql injection. – SMA Jan 09 '16 at 18:50
-
3Possible duplicate of [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Alejo Jan 09 '16 at 18:55
1 Answers
1
Use newer functions like
mysqli_queryor even betterPDO library.Bind params, do not inject them in query.
Sanitize your params.
Read:
Community
- 1
- 1
Grzegorz Gajda
- 2,424
- 2
- 15
- 23
-
@IbraDigga . . . Probably not. mysql_ is no longer supported. The correct option is to switch to mysqli. If you want security, then use supported software. – Gordon Linoff Jan 09 '16 at 18:55