CODEWITHSUNDEEP
phpsqlsql-injection
J. Doe
J. Doe

Reputation: 31

Questions about SQL injection

I'm trying to prevent sql injection. My code is as follows

$stmt = $db_connection->prepare("INSERT INTO users (user_name,user_password_hash,user_email,user_firstname,user_lastname,user_registerip,user_lastip,user_created,user_rank,user_block) VALUES (:user_name, :user_password_hash, :user_email, :user_firstname, :user_lastname, :user_registerip, :user_lastip, :user_created, :user_rank, :user_block)");
$stmt->bindParam(':user_name', $txtName);
$stmt->bindParam(':user_password_hash', $txtPassword);
$stmt->bindParam(':user_email', $txtMail);
$stmt->bindParam(':user_firstname', $txtFirst);
$stmt->bindParam(':user_lastname', $txtLast);
$stmt->bindParam(':user_registerip', $txtRIP);
$stmt->bindParam(':user_lastip', $txtIP);
$stmt->bindParam(':user_created', $txtCreated);
$stmt->bindParam(':user_rank', $txtRank);
$stmt->bindParam(':user_block', $txtBlock);
$stmt->execute();

But I don't know what to do with a line like this:

$stmt->bindParam(':user_block', $txtBlock);

Where do I define those variables such as $txtBlock and how do I connect my input names to the PHP code?

Upvotes: 1

Views: 45

Answers (1)

James Paterson
James Paterson

Reputation: 2890

You can define those variables to be what you like. If you are using a form like:

<form action="process.php" method="POST">
    <input name="example" type="text">
    <input type="submit">
</form>

Then on the page process.php, you can access all of the variables through the $_POST global. So to get the data from the field example, and assign it to $txtBlock, you can do:

$txtBlock = $_POST["example"];

In terms of SQL injection, you have prepared your query and bound variables to it already. There is no need to worry about sanitising inputs further. I find the following resource helpful when talking about PDO.

Upvotes: 2

Related Questions