0

I am using the following syntax to insert something into my SQL-Tables:

$db = @mysqli_connect("", "", "") or die("connection failed!");
mysqli_select_db($db,''); 
$user_stuff;
$sql = "INSERT INTO whatever ( ... ) VALUES (... '$user_stuff')";
$db->query($sql);
mysqli_close($db);

Is this save against SQL Injections? I am not sure how to use prepared statements here with that syntax? Or are these prepared statements already implemented inside of ->query(...)???

  • Have you read the manual? Anyhow it's not safe against SQL injections because you're not doing anything with the user input. Use prepared statement, preferrably PDO. – Janno Aug 04 '16 at 06:57
  • 1
    good reference: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Carr Aug 04 '16 at 06:57
  • Its not about the query() method. It is about the query you put into it and how you build that query. (The $sql variable) – Fjarlaegur Aug 04 '16 at 06:58
  • [The Great Escapism (Or: What You Need To Know To Work With Text Within Text)](http://kunststube.net/escapism/) – deceze Aug 04 '16 at 07:38

0 Answers0