droidus
Reputation: 641
php sql injection escape string
i have this code, and for some reason, it puts in the exact value (including mysql_real...)
mysql_query("INSERT INTO members (username) VALUES ('mysql_real_escape_string($uname)')");
how do I rewrite this so I don't have this issue?
Upvotes: 0
Views: 1283
Answers (2)
Philipp Reichart
Reputation: 20961
You could also use a prepared statement, where PDO takes care of escaping for whatever database it works with (not just MySQL):
$stmt = $dbh->prepare("INSERT INTO members (username) VALUES (:username)");
// either:
$stmt->bindParam(':username', $uname);
$stmt->execute();
// or as Corbin pointed out in the comments:
$stmt->execute(array('username' => $uname))
Upvotes: 2
David
Reputation: 4361
mysql_real_escape_string is a PHP function, not a MySQL function.
$value = mysql_real_escape_string($uname);
mysql_query("INSERT INTO members (username) VALUES ('$value')");
UPDATE: Inline mysql_real_escape_string
mysql_query("INSERT INTO members (username) VALUES ('".mysql_real_escape_string($uname)."')");
Upvotes: 2
Related Questions
- PHP code vulnerable to SQL injection: how to work with `mysql_real_escape_string()`?
- php sql injection
- SQL-injection in PHP, how is it possible to send non-escaped quote to server?
- SQL Injection with an Escaped String?
- Sql injection using php
- Bypassing mysql_real_escape_string's protection
- Sql injection mysql_real_escape_string
- What must be escaped in SQL?
- PHP with SQL Injection
- Am I using mysql_real_escape_string right?