How to deal with SQL Injection

Question

I realize most SQL statement in my application can be junk or hack with the plus sign (+)

Onece I type + inside the Input it fetches result from database but this is not what I want. Earlier this morning I have done research to solve this but to no avail.

I thought using the mysqli_real_escape_string() will secure this but it does me no good.

please can someone help because once there is no column with that character I don't expect result from the database.

below is some of my SQL statement.

Thank you.

//Get the recipient a user wants to send message
if(isset($_POST['recipname']) && !empty($_POST['recipname'])){
       $recipname   =   mysqli_real_escape_string($dbc_conn,trim($_POST['recipname']));
       $recipname   =   preg_replace('/\s+/', ' ',$recipname);

       $sql    =   "
        SELECT      id, username,firstname ,
                    lastname , avatar ,
                    school

        FROM        $table_name 
        WHERE       CONCAT('%', firstname,' ',lastname,'%') LIKE '%$recipname%' OR 
                    CONCAT('%', lastname,' ',firstname,'%') LIKE '%$recipname%'
        LIMIT       6 
        ";



//Query database

       }

Try to use prepare statement with PDO http://php.net/manual/en/pdo.prepare.php http://php.net/manual/en/pdostatement.fetchall.php — Nazmul Hasan, Nov 26 '16 at 16:42
I am not too familiar with PDO...all I do it Procedure Programming ...ok but I will try.Thanks — james Oduro, Nov 26 '16 at 16:43
The problem with not being familiar with stuff, is what happens when you do little to no research about the stuff. — , Nov 26 '16 at 16:44
You can use prepared statements with MySQLi as well... and do it procedurally if you don't like OOP — Mark Baker, Nov 26 '16 at 16:45
Possible duplicate of [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Ivan Kvasnica, Nov 26 '16 at 18:23

How to deal with SQL Injection

0 Answers0