0

I have created a website however i have left preventing injection last because its what i have found most challenging.

Im now at the point where i need to convert all my quires which contain a variable or '$_GET' to a parameterised queries.

Here is an example of a couple of my queries :

SELECT 

$storename = urldecode($_GET['name']);
$ress = $conn->query("SELECT * FROM pages WHERE storename = '$storename'");
$page=$ress->fetch_array();

DELETE

if(isset($_GET['del']))
{    
$id = $_GET['del'];
$category = str_replace(".png","", $_GET['category']);

 $SQL = $conn->query("DELETE FROM categories WHERE id='$id'");
 $SQL = $conn->query("DELETE FROM categories WHERE category='$category'");
}

I have watched loads of tutorials read loads of post explaining this, however i am completely stuck with it, if anyone does not mind showing me how to prevent injection with these 2 queries that would be greatly appreciated. I could then look at how you have done it and apply this to other queries across my site.

Thankyou for any help

bradders
  • 15
  • 7
  • I have read this question already and cannot understand how to protect my query from it – bradders Jun 19 '16 at 12:15
  • 1
    Here you go, just follow the link provided. The only thing I'd like to mention - PDO is way more usable with defense techniques than mysqli, so you'd better go with PDO. – Your Common Sense Jun 19 '16 at 12:15
  • Thanks, i have looked into this for a long time now and just cannot figure it out, I'm sorry if I'm being insulting but could i pay you or anyone to do these 2 quires for me ? – bradders Jun 19 '16 at 12:17
  • No. This isn't a pay-for or hiring forum. You have to at least read the duplicate. It's obvious that you haven't even attempted to apply anything. And no, we're not writing 500 personalized tutorials each day just because people are too lazy to try themselves. – mario Jun 19 '16 at 12:19
  • 1
    I wrote a [tutorial on PDO](https://phpdelusions.net/pdo#prepared) which, I believe, is comprehensible by anyone, thanks to PDO prepared statements extreme ease to use. May I ask you to try and give me a feedback, whether you succeeded with transition or not? – Your Common Sense Jun 19 '16 at 12:26

0 Answers0