How to protect this SQL in a PHP from SQL Injection?

Question

Can someone give me a little help with this? i have three PHP SQL querys, and i have to protect from SQL Injection. I am searching on google but i think is too hard for me, because it's combinated with PHP and i dont know munch about PHP and lees about SQL

if someone can give me the code protected I'll be grateful

the code:

$q=mysql_query("SELECT * FROM user where email= '".$_REQUEST['email']."'",$link );

$q=mysql_query("UPDATE user SET mobilePhone='".$_REQUEST['mobilePhone']."', fullName='".$_REQUEST['fullName']."' WHERE email='".$_REQUEST['email']."'",$link );

$q=mysql_query("UPDATE user SET mobilePhone='".$_REQUEST['mobilePhone']."' , fullName='".$_REQUEST['fullName']."', password='".$_REQUEST['password']."'  WHERE email='".$_REQUEST['email']."'",$link );

Answer 1

Well, the simple way would be to wrap each of the $_REQUEST vars in mysql_real_escape_string()...

$q=mysql_query("SELECT * FROM user 
    where email= '".mysql_real_escape_string($_REQUEST['email'])."'",$link );

The better way would be to use prepared queries. There are plenty of tutorials available on how to do it, so I'll leave that to you...

Answer 2

The least you can do to prevent SQL injection is to use mysql_real_escape_string function before any variables that go into your queries.

The best you can do is to use prepared statements to avoid SQL injection.

The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible).

Suggestion:

To be further on safer side, you should always use proper array eg $_POST or $_GET instead of $_REQUEST for security reasons.

Answer 3

Take a look at PHP's mysql_real_escape_string