J. Doe
Reputation: 525
Preventing SQL injection insert into
I am having trouble inserting data into my database. This is my first time dealing with SQL injection.
$stmt = $dbConnection->prepare('INSERT INTO users(name) VALUES('name = ?')');
$stmt->bind_param('s', $name);
$stmt->execute();
But that doesn't work. Any help would be appriciated!
Upvotes: 0
Views: 88
Answers (2)
The Codesee
Reputation: 3783
You have a few syntax errors in your code. Try this:
$stmt = $dbConnection->prepare('INSERT INTO users (name) VALUES (:s)');
$stmt->bindParam(':s', $name);
$stmt->execute();
If you want to insert and define more values, do it like this:
$stmt = $dbConnection->prepare('INSERT INTO users (name, email) VALUES (:s, :email)');
$stmt->bindParam(':s', $name);
$stmt->bindParam(':email', $email);
$stmt->execute();
If you're using mysqli, your code will look like this:
$stmt = $dbConnection->prepare('INSERT INTO users (name) VALUES (?)');
$stmt->bind_param('s', $name);
$stmt->execute();
Upvotes: 3
Barmar
Reputation: 780869
You don't need name = in the SQL, the column name is specified in the list (name) after the table name. Just put a ? where you would normally put the value.
$stmt = $dbConnection->prepare('INSERT INTO users(name) VALUES(?)');
$stmt->bind_param('s', $name);
$stmt->execute();
Upvotes: 2
Related Questions
- How can I prevent SQL injection in PHP?
- Are PDO prepared statements sufficient to prevent SQL injection?
- Can I protect against SQL injection by escaping single-quote and surrounding user input with single-quotes?
- How does the SQL injection from the "Bobby Tables" XKCD comic work?
- SQL injection that gets around mysql_real_escape_string()
- Mysqli - Are parameterized queries enough for preventing XSS second order attacks?