How do I prevent data injection?

Question

SELECT * FROM Users WHERE UserId = " + txtUserId

The following code is appropriate?

$username = mysqli_real_escape_string( $GET['username'] );
mysql_query( "SELECT * FROM tbl_members WHERE username = '".$username."'");

https://owasp.org/www-community/Injection_Theory – Ricardo Cardona Ramirez Aug 11 '21 at 16:50 — Ricardo Cardona Ramirez, Aug 11 '21 at 16:50

user3798618 · Answer 1 · 2017-04-16T07:36:52.230

-1

PDO will protect you from injections http://php.net/manual/en/book.pdo.php Use prepared statements http://php.net/manual/en/pdo.prepared-statements.php For example:

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
$stmt->execute();

This is a secure code

edited Apr 16 '17 at 07:36

answered Apr 16 '17 at 07:30

user3798618

758
1
7
12

Please [avoid link only answers](http://meta.stackoverflow.com/tags/link-only-answers/info). Answers that are "barely more than a link to an external site” [may be deleted](http://stackoverflow.com/help/deleted-answers). – Quentin Apr 16 '17 at 07:33
@Quentin Added an example. – user3798618 Apr 16 '17 at 07:37

How do I prevent data injection?

1 Answers1