1

I don't want to be vulnerable against sql injections. Can anyone please tell me if I am using $mysqli->real_escape_string correctly here? Currently I am using it only on $name variable. I don't have much experience with php and databases.

// Insert our data
  $sql = "INSERT INTO kliendid (`id`, `name`, `email`, `uudiskiri`) VALUES (NULL, $mysqli->real_escape_string('${name}'), '${email}', '${uudiskiri}')";
  $insert = $mysqli->query($sql);

  // Close connection
  $mysqli->close();
Isaac Bennetch
  • 11,830
  • 2
  • 32
  • 43
  • 5
    Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – user3942918 Jul 17 '18 at 09:48
  • 1
    use parameterized queries and prepared statements instead. The duplicate paul linked has a very extensive answer on that. Manually escaping strings is asking for trouble. – Magisch Jul 17 '18 at 09:51

1 Answers1

0

If id is autoincrement just ignore it on the statement.

$stmt = $mysqli->prepare("INSERT INTO kliendid (`name`, `email`, `uudiskiri`) VALUES (?,?,?)");
$stmt->bind_param('ssi', $email, $email, $uudiskiri);

$stmt->execute();
$stmt->close();

What does it mean 'ssi', that means you are telling the statement that the values you are sending are: the first one a "string", second one "string" and third one "integer" and as per the comments, is a good idea to dig deeply before asking, I got your code built in about 5 minutes and it took me another 5 to research.

And for an answer to your question, no, you are not using mysqli_real_escape_string correctly, this is the way of using it:

$var1escaped = mysqli_real_escape_string($var1)
$var2escaped = mysqli_real_escape_string($var2)
$varNescaped = mysqli_real_escape_string($varN)

Then you send the escaped variables to your query, but still not secure as prepared statements.

I hope this helps, I'm glad there's people out there willing to build secure code.

Alberto Vidales
  • 54
  • 6