How to prevent SQL Injection (WHERE clause)?

Question

How to prevent SQL Injection (WHERE clause)?

Asked 3 years, 10 months ago

Viewed 16 times

0

How can I prevent SQL Injection in this case?

<?php

//==== GET URL PARAMETER
$urlParam =  $_GET['u'];
    
$sql = "SELECT email FROM `users` WHERE keystring = '$urlParam'";
$result = mysqli_query($conn, $sql);
    
$row = mysqli_fetch_array($result);

Utilize mysqli_real_escape_string or use Prepared Statment.

– Inkeliz

2020/12/29 at 17:38
Where should I put "mysqli_real_escape_string" ?

– Vitor Freitas

2020/12/29 at 17:51
Hello Victor, here’s how to prevent sqlinjection: How to prevent SQL code injection into my PHP code?.

– Guilherme Nascimento

2020/12/29 at 18:15

No answers

Browser other questions tagged php mysql database

You are not signed in. Login or sign up in order to post.