Is this safe for SQL injections?


$conn = new mysqli($DBServer, $DBUser, $DBPass, $DBName, $DBPort);
if ($conn->connect_error) {
	echo "Database connection failed: " . $conn->connect_error, E_USER_ERROR;


		$myusername=htmlentities($_POST['userName'], ENT_QUOTES, "UTF-8");
		$mypassword=htmlentities($_POST['passWord'], ENT_QUOTES, "UTF-8");
		// DO DELETE . .. WHERE user='".$myusername."'
		// DO SELECT . .. WHERE user='".$myusername."'
		// OR
		// DO UPDATE . .. WHERE user='".$myusername."'

Can i use POST variables safe?

Hi @fumeeptc, not they are not, you should take care of them yourself. You should look into mysqli prepared statements. I suggest you even use the PDO extension instead as it makes it a bit easier to deal with prepared statements.

@Andres_Vaquero So here i have a big problem?Or how big is the problem?I m new in security things!

I m working in project and it would be a big job to change to PDO now

Hi @fumeeptc
How do you think, does a function called htmlentities() have any relation to sql?

I will say as is i do not know! :frowning:

Mysqli also has prepared statements, just not as convenient to use as PDO ones. They add a security layer to your queries. Please do some research and you’ll learn how to use them


@Andres_Vaquero Ok Thanks will do!All i wanted to know was if i can have a problem from some hacker side and get SQL injections !

You can indeed. Use prepared statements, validate and sanitize your input data.


Regarding your use of htmlentities(), was that same function applied to the strings when the data was inserted into the table? If not, it may create a mis-match. I would generally use it, or htmlspecialchars() rather, on outputting the data to an html page.
With the user name, if it’s not a “real name” you may restrict the character set available, then strip down any input to that set to ensure it is clean.
With the password, that needs to change. Don’t store raw passwords, it’s a security no no. The password should be hashed after creation, before insertion. The hashed string will be database safe and unreadable to anyone who happens to see it.
In the login, the password input should be checked against the hashed version in the database via password_verify()


@SamA74 I see. … About passwords ,they already are hashed there are no problems. .Question was about SQL injection possibility with this code!

That’s good, but why escape it then?

As it stands, assuming the pseudo queries shown, it’s vulnerable. Handling the password like I said will take care of that part. With the user name, do as @Andres_Vaquero says:-

How you validate and sanitise depends of what you decide to accept as valid data for that field. do you allow any string, or a restricted set of characters?


wow . … Ok i needed to show that i hash password :stuck_out_tongue:
So here could be a trouble. …

username is actually and email address !

Thanks for replays :slight_smile:

OK, we have filters to validate and sanitise that.

1 Like

Thanks Allot for all the infos!To everyone!

Typically you may use a query like this (prepared statement, where :username is bound to a valid email address)

"SELECT password FROM users WHERE user = :username"

Then validate the input against the result:-

if (password_verify($inputPassword, $dbPassword)) {
    // you are in!
    // you are not in!
1 Like

Cool :slight_smile:

I’ve got a full example but again, for PDO only.
Though I hope that the OP will change their mind and start using PDO prepared statements, which in the end will save their time, as rewriting mysqli to PDO prepared statements will take less time and effort than rewriting mysqli to mysqli prepared statements.


I will consider this!Some other guy says i should start using OOP.
What you think about OOP?

You don’t have to start with OOP.
Object oriented programming is a very complex science, takes several years of hard learning to take into. So for now just forget it.

What you really need is an Object oriented syntax, and it’s really simple, you can learn it in a few minutes for sure.
An object is a variable that may contain either another variable (called a property) or a function (called a method). Both addressed via Arrow operator (->). That’s all.

So instead of

mysqli_query($mysqli, $query);

you can write


where query() is a method of the $mysqli object.

Similarly, instead of


you can write


where error is a property.

As you can see, OOP syntax which is shorter and cleaner.

As of PDO, which you may have probably confused with OOP, it’s really simple too - a couple of functions to tun your queries with prepared statements. And example you can find by the link above.


It is the way you will have to go when you start dealing with a lot of code and large applications. It basically is just a tool to help you organise, reuse and architect your code better. It takes some time to grasp the concepts as practical examples but once you do you wouldn’t go back to procedural coding.

1 Like