SQL code which prevents sql injection attacks

Hi guys

Im trying to write some code which inserts values into the database and protects from sql injections.

So far I have:

$sql = "
	  INSERT INTO users (title,firstname,surname) 
	$q = $conn->prepare($sql);
			':title' => $title,
			':firstname' => $firstname,
			':surname' => $surname

Will that do the job? Thanks

1 Like

Yes this is safe for SQLInjections.

If I remember right the statement name in the array is without the double point or?

Both with and without the colon work.

1 Like

Ah great, thanks. So I dont have to bind it? I was reading a tutorial saying you had to bind the data after you prepare it, but another tutorial didnt mention the binding part, so I got confused.

using the bindParam or bindValue functions is only another possibility.

Ah ok - thanks @Thallius !

Explicit binding is NOT required, unless you are using long-blob-data or are using emulated prepared queries and you must tell php what data type to use when it’s not the default string data type.

In all other cases, simply use implicit binding, by supplying an array of data to the ->execute([…]) call.

I don’t use mysqli, but I think you have to bind parameters using that.
In PDO there is no need to bind the parameters, so much simpler.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.