2
I’m having doubts about SQL Injection in PHP. I have a class that has the user object, and there has name, age, etc.
Then I put in the variable query something like:
insert into tb_usuarios(nome)values('$this->nome');
Surely you are at risk of suffering SQL Injection right? I read about mysqli_real_escape_string and say it’s not totally safe.
Someone can give me a light?
0
The way to escape string is depending on which method you are using to enter the data into the database.
If it is PDO, it is putting values in bind:
$stmt = $conn->prepare("INSERT INTO tb_usuarios (nome) VAUES(:nome);");
$stmt->bindValue(":nome", $this->nome);
$stmt->prepare();
If it is the class mysqli(), you should use it like this:
$nome = $conn->real_escape_string($this->nome);
$conn->query("INSERT INTO tb_usuarios (nome) VAUES('$nome');");
Browser other questions tagged php sql mysqli sql-injection
You are not signed in. Login or sign up in order to post.