How can I protect my code from sql injection?

Asked Apr 04 '21 at 17:45

Active Apr 04 '21 at 17:45

Viewed 19 times

how can I protect this code from sql injection?

$sql = "SELECT ID FROM newidea WHERE tag LIKE '%" . $arrayuser[$i] . "%' AND ID > $number";
$result = $conn->query($sql);
if(mysqli_num_rows($result))
$row = $result->fetch_assoc();

asked Apr 04 '21 at 17:45

Wawi Sobota

If you are only starting to learn PHP then you should learn PDO instead of mysqli. PDO is much easier and more suitable for beginners. Start here https://phpdelusions.net/pdo & https://websitebeaver.com/php-pdo-prepared-statements-to-prevent-sql-injection – Dharman Apr 04 '21 at 20:01
Hi @Dharman , I used mysqli_real_escape_string() function. Do you think it's enough to protect from sql injection? I found different opinions in the Internet. I'll learn PDO, but for now I've done my project in mysql, so I'd like to end it. – Wawi Sobota Apr 04 '21 at 20:13
Technically, it should be enough but it is not worth it. Just use prepared statements and forgot about any need to escape. It's safer, easier and quicker. – Dharman Apr 04 '21 at 20:36

How can I protect my code from sql injection?

0 Answers0