PHP and MySQL form submit

Question

In this block of code where do I put mysqli_real_escape_string() ?

Or if you have a better way of writing the whole block I'm interested to hear.

<?php 
$title = ($_POST["title"]); 
$date = ($_POST["date"]); 
$content = ($_POST["content"]); 

$query = "INSERT INTO months ("; 
$query .= " title, date, content "; 
$query .= ") VALUES ("; 
$query .= " '{$title}', '{$date}', '{$content}' "; 
$query .= ")"; 
mysqli_query($connection, $query); ?>

score 1 · Accepted Answer · edited May 23 '17 at 11:51

It would be the best to use prepared statements.

$stmt = mysqli_prepare($connection, "INSERT INTO months (title, date, content) 
                                VALUES(?, ?, ?)");

mysqli_stmt_bind_param($stmt, "sss", $title, $date, $content);
$title = $_POST["title"]; 
$date = $_POST["date"]; 
$content = $_POST["content"]; 
mysqli_stmt_execute($stmt);

When using an escape function and string concatenation there might still be cases in which sql injection is possible. Prepared Statements work differently, so they are secure against sql injection. https://stackoverflow.com/a/60496/3595565

score 0 · Answer 2 · answered Jul 31 '16 at 09:12

0

Try this :

$title = mysqli_real_escape_string($_POST["title"]); 
$date = mysqli_real_escape_string($_POST["date"]); 
$content = mysqli_real_escape_string($_POST["content"]);

answered Jul 31 '16 at 09:12

Rizaldi Maulidia

118
3
9

PHP and MySQL form submit

2 Answers2