user1054080
Reputation:
Safe use of POST vars into database
Dear community it has been a while since i wrote database applications, just to be sure I have a simple question:
Is the PHP code down here safe to use? I have a basic DA installation with php 5.3.8 so magic quotes should be disabled.
Greetings,
<?php
$id = ( mysql_real_escape_string( stripslashes ($_POST['id'])));
$naam = ( mysql_real_escape_string( stripslashes ($_POST['naam'])));
$bericht = ( mysql_real_escape_string ( stripslashes ($_POST['bericht'])));
if ($id and $naam and $bericht) {
$databsestring = "<div class=\"reactie\"><h3>".$naam." op ".date ("F j, Y").":</h3>" . $bericht . "</div>";
if ($db_found) {
$SQL = "UPDATE xxxxx_comments SET comments = CONCAT (comments,'".$databsestring."') WHERE id='".$id."'";
$result = mysql_query($SQL);
mysql_close($db_handle);
}
?>
Upvotes: 0
Views: 84
Answers (1)
Lotzki
Reputation: 519
mysql_* is deprecated, use mysqli or PDO to safely store data.
For example:
$add_user = $mysqli->prepare("INSERT INTO `users` SET `name`=?, `email`=?, `encrypted_password`=?");
$add_user->bind_param("sss",$name,$email,$hash["encrypted"]);
$add_user->execute()
Using prepared statements is a safe way to avoin sql injections
Upvotes: 2
Related Questions
- How should I write PHP $_POST vars in a mysql_query function?
- How To validate php post variables?
- Is it secure to Store value in var for PDO PHP?
- How safe is it to insert $_POST data from an array directly into a MySQL statement?
- is $_POST really safe?
- Processing $_POST[] and $_GET[] variables
- Is it ok to set $_POST variables via php to pass data to your form elements
- How could I make this PHP $_POST more secure? -Or is it secure already?
- Should I sanitize EVERY form variable passed along?
- Making a form submit a variable safely