Proper way to create PHP prepared statement?

Question

I am new to PHP

Currently working on building my 1st web app!

I created this PHP script for registering / signing up for my web app, and I want it to prevent SQL injection So I need some guideance here, I learned all by my self from ground zero!

So I decided to use from what I have read and learned.

Here's my code:

$server = "localhost";
$user = "root";
$pass = "";
$selected_db = "User";
$selected_table = "usersbio";

// Create connection
$linking = new mysqli($server, $user, $pass, $selected_db);

// Input variable
$firstname = mysqli_real_escape_string($linking, $_POST['firstname']);
$lastname = mysqli_real_escape_string($linking, $_POST['lastname']);
$userpass = mysqli_real_escape_string($linking, $_POST['userpass']);
$useremail = mysqli_real_escape_string($linking, $_POST['useremail']);
$udob_d = mysqli_real_escape_string($linking, $_POST['userdobd']);
$udob_m = mysqli_real_escape_string($linking, $_POST['userdobm']);
$udob_y = mysqli_real_escape_string($linking, $_POST['userdoby']);

$hashingpass = password_hash($userpass, PASSWORD_DEFAULT);

// Saving data to db - table
$stmt = $linking->prepare("INSERT INTO $selected_table (userfirstname, 
userlastname, userpasskey, useremail, userdobd, userdobm, userdoby) 
VALUES ('?', '?', '?', '?', '?', '?', '?')");

$stmt->bind_param('s', 's', 's', 's', 'i', 's', 'i', $firstname, 
$lastname, $hashingpass, $useremail, $udob_d, $udob_m, $udob_y);
$stmt->execute();

$linking->close();

Answer 1

If you're just getting started, I'd suggest using PDO instead of the old mysqli interface. It's much less verbose and easier to use. Here's how your code would look:

<?php
$server = "localhost";
$user = "root";
$pass = "";
$selected_db = "User";

// Create connection
$linking = new PDO("mysql:host=$server;dbname=$selected_db", $user, $pass);

// Saving data to db - table
$query = "
    INSERT INTO usersbio
    (userfirstname, userlastname, userpasskey, useremail, userdobd, userdobm, userdoby)
    VALUES (?, ?, ?, ?, ?, ?, ?)";

$params = [
    $_POST["firstname"],
    $_POST["lastname"],
    password_hash($_POST["userpass"], PASSWORD_DEFAULT),
    $_POST["useremail"],
    $_POST["userdobd"],
    $_POST["userdobm"],
    $_POST["userdoby"],
];
$stmt = $linking->prepare($query);
$stmt->execute($params);

$linking->close();

Answer 2

You prepare() statement looks like it should work...

Also as Alex Howansky said:

Don't rely on the real_escape_string() functions to prevent SQL injection, they alone are not sufficient. You should use prepared statements with bound parameters, via either mysqli or PDO. This post has some good examples.

Refer to: How can I prevent SQL injection in PHP?

You also have to remove the the single quotes around the question marks...

TRY THIS:

$server = "localhost";
$user = "root";
$pass = "";
$selected_db = "User";
$selected_table = "usersbio";

// Create connection
$linking = new mysqli($server, $user, $pass, $selected_db);

// Input variable
$firstname = mysqli_real_escape_string($linking, $_POST['firstname']);
$lastname = mysqli_real_escape_string($linking, $_POST['lastname']);
$userpass = mysqli_real_escape_string($linking, $_POST['userpass']);
$useremail = mysqli_real_escape_string($linking, $_POST['useremail']);
$udob_d = mysqli_real_escape_string($linking, $_POST['userdobd']);
$udob_m = mysqli_real_escape_string($linking, $_POST['userdobm']);
$udob_y = mysqli_real_escape_string($linking, $_POST['userdoby']);

$hashingpass = password_hash($userpass, PASSWORD_DEFAULT);

// Saving data to db - table
$stmt = $linking->prepare("INSERT INTO $selected_table (userfirstname, 
userlastname, userpasskey, useremail, userdobd, userdobm, userdoby) 
VALUES (?, ?, ?, ?, ?, ?, ?)");

$stmt->bind_param('ssssisi', $firstname, 
$lastname, $hashingpass, $useremail, $udob_d, $udob_m, $udob_y);
$stmt->execute();

$linking->close();

THIS IS THE UPDATED QUERY:

INSERT INTO $selected_table (userfirstname, userlastname, userpasskey, useremail, userdobd, userdobm, userdoby)
VALUES (?, ?, ?, ?, ?, ?, ?)

If you need more help with prepared statements take a look at this link:

http://php.net/manual/en/mysqli.quickstart.prepared-statements.php