secure php GET with SQL

Question

any advise how do I secure my GET code below to prevent SQL Injection or any hacking activities?

http://localhost/hobby.php?hobby=soccer

<?php

include "connect.php";


$hobby = (isset($_GET['hobby'])) ? $_GET['hobby'] : '';
$hobby = str_replace("'", "''", $hobby);

$hobby = strip_tags($hobby);
$hobby = trim ($hobby);

if ($hobby != '') {
    
    $sql = "SELECT Name, Hobby from myself where Hobby like '%$hobby%'";

    $stmt = sqlsrv_query( $conn, $sql );
    
    $result = array();
    $row_check = sqlsrv_has_rows( $stmt );


    if ($row_check == true) {
        while ($row = sqlsrv_fetch_array( $stmt, SQLSRV_FETCH_ASSOC)) {
            $result['Response'][] = array(
        'Name' => $row['Name'],
        'Hobby' => $row['Hobby']
            );
        }
    } 
    sqlsrv_free_stmt( $stmt);
    sqlsrv_close( $conn);
?>

use https://www.php.net/manual/en/book.pdo.php and parameters — Giacomo M, Mar 11 '21 at 08:56
Does this answer your question? [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Tangentially Perpendicular, Mar 11 '21 at 09:02

score 0 · Answer 1 · answered Mar 11 '21 at 09:12

0

The best thing to do is use PDO as suggested by @giacomo-m

php.net/manual/en/book.pdo.php

answered Mar 11 '21 at 09:12

Toby Allen

10,997
11
73
124

secure php GET with SQL

1 Answers1