Page 1 of 1
Inserting into MySql
Posted: Thu Jan 26, 2012 7:48 am
by YoussefSiblini
Hi,
I am creating a registration system, is this secure enough before I add the into my database:
Code: Select all
$name = mysql_real_escape_string($name);
Or do I need to add more code?
Youssef
Re: Inserting into MySql
Posted: Thu Jan 26, 2012 8:34 am
by Celauran
You'd do better to use prepared statements.
Re: Inserting into MySql
Posted: Thu Jan 26, 2012 9:20 am
by YoussefSiblini
Thank you for your reply,
Sorry but what you mean, as I am still new to php?
Re: Inserting into MySql
Posted: Thu Jan 26, 2012 9:28 am
by Celauran
Prepared statements:
MySQLi
PDO
Re: Inserting into MySql
Posted: Thu Jan 26, 2012 9:39 am
by YoussefSiblini
thank you
Re: Inserting into MySql
Posted: Thu Jan 26, 2012 3:57 pm
by social_experiment
I haven't used prepared statements myself so i might be missing this point; there doesn't seem to be any escaping of data using mysqli_real_escape_string() in the mysqli::prepare examples. In both examples, imo, it would still advisable to have some sort of security check, if a value is empty or of a specific type. Maybe it was left out of the example just for the sake of brevity?
Re: Inserting into MySql
Posted: Fri Jan 27, 2012 7:46 am
by YoussefSiblini
Hi guys,
Does that mean
Code: Select all
$name = mysql_real_escape_string($name);
is not secure enough to use?
As I never used prepared statements before.
Youssef
Re: Inserting into MySql
Posted: Fri Jan 27, 2012 7:53 am
by social_experiment
It is secure as you have it;
http://mattbango.com/notebook/web-devel ... nd-mysqli/
Article about prepared statements; going to read it myself
Re: Inserting into MySql
Posted: Fri Jan 27, 2012 8:54 am
by YoussefSiblini
Thank you,
That is a good link to get me started with it

Re: Inserting into MySql
Posted: Thu Dec 20, 2012 6:59 am
by Mordred
THe SQLi article in my sig has the details on when escaping is not enough. For some cases it also applies to prepared statements (when issuing them) as well.
Re: Inserting into MySql
Posted: Wed Sep 25, 2013 2:45 am
by priyankagound
Insert Data Into a Database Table
The INSERT INTO statement is used to add new records to a database table.
Syntax
It is possible to write the INSERT INTO statement in two forms.
The first form doesn't specify the column names where the data will be inserted, only their values:
INSERT INTO table_name
VALUES (value1, value2, value3,...)
The second form specifies both the column names and the values to be inserted:
INSERT INTO table_name (column1, column2, column3,...)
VALUES (value1, value2, value3,...)
Example:
Code: Select all
<?php
$con=mysqli_connect("example.com","peter","abc123","my_db");
// Check connection
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$sql="INSERT INTO Persons (FirstName, LastName, Age)
VALUES
('$_POST[firstname]','$_POST[lastname]','$_POST[age]')";
if (!mysqli_query($con,$sql))
{
die('Error: ' . mysqli_error($con));
}
echo "1 record added";
mysqli_close($con);
?>
Hope this helps you.
Re: Inserting into MySql
Posted: Wed Sep 25, 2013 1:30 pm
by Christopher
Do not do put unescaped values from the request into SQL:
Code: Select all
$sql="INSERT INTO Persons (FirstName, LastName, Age)
VALUES
('$_POST[firstname]','$_POST[lastname]','$_POST[age]')"; // DANGEROUS!!!
Use prepared statements:
Code: Select all
$sql="INSERT INTO Persons (FirstName, LastName, Age)
VALUES
(?,?,?)";