mysqli_real_escape_string

PHP
1

Hi all,

I’m trying to alter a piece of code to include the mysqli_real_escape_string to avoid sql injections and I would like to ask if the following code is properly written as I’m not quiet sure how to test it.

Original code:


   	if(($rss_title !='') && ($rss_url !=''))
   	{
   		$query=mysqli_query($GLOBALS["___mysqli_ston"], "insert into rss (title, url, published, lang) values ('$rss_title', '$rss_url', '1', '$_SESSION[session_lang]')");
   	}

Altered code:


   	if(($rss_title !='') && ($rss_url !=''))
   	{
   		$query=mysqli_query($GLOBALS["___mysqli_ston"], "insert into rss (title, url, published, lang) values ('$rss_title', '$rss_url', '1', '$_SESSION[session_lang]')");
        $query = mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $rss_title, $rss_url, $_SESSION);
   	}

Thanks

2

Hi,
Try this (the valuest must be filtered with mysqli_real_escape_string() not the whole sql query).

if($rss_title !='' && $rss_url !='') {
  $query = mysqli_query($GLOBALS["___mysqli_ston"], "insert into rss (title, url, published, lang) values ('". mysqli_real_escape_string($rss_title) ."', '". mysqli_real_escape_string($rss_url) ."', '1', '". mysqli_real_escape_string($_SESSION[session_lang]) ."')");
}
3

You shouldn’t ever need to use mysqli_real_escape_string as an even better solution is to use prepare and bind that makes injection completely impossible by keeping the data completely separate from the SQL

4

Thanks a lot for the replies.
Felgal, would you mind giving an example of the above code but with prepare statements?

Thanks a lot

5 
$stmt = $GLOBALS["___mysqli_ston"]->prepare("insert into rss (title, url, published, lang) values (?, ?, ?, ?)");
$stmt->bind_param('ssds', $rss_title, $rss_url, 1, $_SESSION[session_lang]);
6

Many thanks Felgall.

The code however throws the following error:

Fatal error: Cannot pass parameter 4 by reference in /opt/lampp/htdocs/modules/rss/admin-rss.php on line 61

where line 61 is:

$stmt->bind_param(‘ssds’, $rss_title, $rss_url, 1, $_SESSION[session_lang]);

Any ideas?

7

Ignore my last post, I figure it out. I needed to pass the value 1 into a variable to work.

Many thanks for your help.

8

For some reason the session is not getting properly via the prepare statement.
This is my existing code which seems to work fine but only for one language as it doesn’t get the session_lang. Any ideas?

    $stmt = $GLOBALS["___mysqli_ston"]->prepare("insert into rss (title, url, published, lang) values (?, ?, ?, ?)");
    $my_var = 1;
    $stmt->bind_param('ssds', $rss_title, $rss_url, $my_var, $_SESSION[session_lang]);
    $stmt->execute();
    $stmt->close();