Page 1 of 1

Inserting into MySql

Posted: Thu Jan 26, 2012 7:48 am
by YoussefSiblini
Hi,
I am creating a registration system, is this secure enough before I add the into my database:

Code: Select all

$name = mysql_real_escape_string($name);
Or do I need to add more code?

Youssef

Re: Inserting into MySql

Posted: Thu Jan 26, 2012 8:34 am
by Celauran
You'd do better to use prepared statements.

Re: Inserting into MySql

Posted: Thu Jan 26, 2012 9:20 am
by YoussefSiblini
Thank you for your reply,

Sorry but what you mean, as I am still new to php?

Re: Inserting into MySql

Posted: Thu Jan 26, 2012 9:28 am
by Celauran
Prepared statements:
MySQLi
PDO

Re: Inserting into MySql

Posted: Thu Jan 26, 2012 9:39 am
by YoussefSiblini
thank you

Re: Inserting into MySql

Posted: Thu Jan 26, 2012 3:57 pm
by social_experiment
I haven't used prepared statements myself so i might be missing this point; there doesn't seem to be any escaping of data using mysqli_real_escape_string() in the mysqli::prepare examples. In both examples, imo, it would still advisable to have some sort of security check, if a value is empty or of a specific type. Maybe it was left out of the example just for the sake of brevity?

Re: Inserting into MySql

Posted: Fri Jan 27, 2012 7:46 am
by YoussefSiblini
Hi guys,

Does that mean

Code: Select all

$name = mysql_real_escape_string($name);
is not secure enough to use?
As I never used prepared statements before.


Youssef

Re: Inserting into MySql

Posted: Fri Jan 27, 2012 7:53 am
by social_experiment
It is secure as you have it;
http://mattbango.com/notebook/web-devel ... nd-mysqli/
Article about prepared statements; going to read it myself

Re: Inserting into MySql

Posted: Fri Jan 27, 2012 8:54 am
by YoussefSiblini
Thank you,
That is a good link to get me started with it :)

Re: Inserting into MySql

Posted: Thu Dec 20, 2012 6:59 am
by Mordred
THe SQLi article in my sig has the details on when escaping is not enough. For some cases it also applies to prepared statements (when issuing them) as well.

Re: Inserting into MySql

Posted: Wed Sep 25, 2013 2:45 am
by priyankagound
Insert Data Into a Database Table
The INSERT INTO statement is used to add new records to a database table.

Syntax

It is possible to write the INSERT INTO statement in two forms.

The first form doesn't specify the column names where the data will be inserted, only their values:

INSERT INTO table_name
VALUES (value1, value2, value3,...)
The second form specifies both the column names and the values to be inserted:

INSERT INTO table_name (column1, column2, column3,...)
VALUES (value1, value2, value3,...)


Example:

Code: Select all

<?php
$con=mysqli_connect("example.com","peter","abc123","my_db");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }

$sql="INSERT INTO Persons (FirstName, LastName, Age)
VALUES
('$_POST[firstname]','$_POST[lastname]','$_POST[age]')";

if (!mysqli_query($con,$sql))
  {
  die('Error: ' . mysqli_error($con));
  }
echo "1 record added";

mysqli_close($con);
?>
Hope this helps you.

Re: Inserting into MySql

Posted: Wed Sep 25, 2013 1:30 pm
by Christopher
Do not do put unescaped values from the request into SQL:

Code: Select all

$sql="INSERT INTO Persons (FirstName, LastName, Age)
VALUES
('$_POST[firstname]','$_POST[lastname]','$_POST[age]')";   // DANGEROUS!!!
Use prepared statements:

Code: Select all

$sql="INSERT INTO Persons (FirstName, LastName, Age)
VALUES
(?,?,?)";