Overclock.net › Forums › Software, Programming and Coding › Coding and Programming › Web Coding › is mysql_real_escape_string() enough to prevent SQL injection?
New Posts  All Forums:Forum Nav:

is mysql_real_escape_string() enough to prevent SQL injection?

post #1 of 3
Thread Starter 
Hello,

So I read that mysql_real_escape_string() is deprecated in php 5 and will be removed completely in php6. I also read that I should use pdo to prevent sql injection. is that true?

if so can you guys give me an example on how to enable pdo drive in my database and show some code example on how to prevent sql injection using pdo?

thanks smile.gif
    
CPUMotherboardGraphicsRAM
Intel 3930K 5040MHz @ 1.48 - 1.53v @ VTT/VCCSA ... Asus rampage extreme IV Gigabyte GTX 970 G1 @ 1580/4050MHz @ 1.325V Corsair Vengeance 64GB (8 x 8GB) DDR3 2400MHz. ... 
Hard DriveHard DriveHard DriveHard Drive
Samsung 850 Pro 256GB Seagate Barracuda ST3000DM001 3TB WD Black 1TB 64Mb Cache  WD Blue 500GB 16mb Cache 
Hard DriveOptical DriveCoolingCooling
WD Black 4TB 64mb Cache LG DVD EK-FB KIT RE4 - Acetal EK-FC970 GTX WF3 Backplate - Black 
CoolingCoolingCoolingCooling
Laing D5 Vario 12V DC Pump (MCP 655)  EK-BAY SPIN Reservoir - Plexi EK-CoolStream RAD XT (240) EK-CoolStream RAD XTX (120) 
CoolingCoolingCoolingCooling
EK-CoolStream XE 120 (Single) 8x Corsair Air SP120 PWM High Performance Edition 3x Corsair Air AF120 High Performance Edition EK-Supremacy EVO CPU Water Block (Nickel Acetal) 
CoolingOSMonitorMonitor
EK-FC970 GTX WF3 - Acetal+Nickel Windows 10 64-bit v1511 build 10586.14 BenQ RL2755HM LG W2261 
MonitorKeyboardPowerCase
Samsung S23C350 Razer BlackWidow Ultimate Cooler Master Silent Pro Gold 1000W Thermaltake Level 10 GT 
Mouse
Razer Lachesis 5600DPI 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Intel 3930K 5040MHz @ 1.48 - 1.53v @ VTT/VCCSA ... Asus rampage extreme IV Gigabyte GTX 970 G1 @ 1580/4050MHz @ 1.325V Corsair Vengeance 64GB (8 x 8GB) DDR3 2400MHz. ... 
Hard DriveHard DriveHard DriveHard Drive
Samsung 850 Pro 256GB Seagate Barracuda ST3000DM001 3TB WD Black 1TB 64Mb Cache  WD Blue 500GB 16mb Cache 
Hard DriveOptical DriveCoolingCooling
WD Black 4TB 64mb Cache LG DVD EK-FB KIT RE4 - Acetal EK-FC970 GTX WF3 Backplate - Black 
CoolingCoolingCoolingCooling
Laing D5 Vario 12V DC Pump (MCP 655)  EK-BAY SPIN Reservoir - Plexi EK-CoolStream RAD XT (240) EK-CoolStream RAD XTX (120) 
CoolingCoolingCoolingCooling
EK-CoolStream XE 120 (Single) 8x Corsair Air SP120 PWM High Performance Edition 3x Corsair Air AF120 High Performance Edition EK-Supremacy EVO CPU Water Block (Nickel Acetal) 
CoolingOSMonitorMonitor
EK-FC970 GTX WF3 - Acetal+Nickel Windows 10 64-bit v1511 build 10586.14 BenQ RL2755HM LG W2261 
MonitorKeyboardPowerCase
Samsung S23C350 Razer BlackWidow Ultimate Cooler Master Silent Pro Gold 1000W Thermaltake Level 10 GT 
Mouse
Razer Lachesis 5600DPI 
  hide details  
Reply
post #2 of 3
mysql has been replaced by msqli (i stands for improved) and mysqli has prepared statements you could use which to prevent sql injection, though I find them more confusing then pdo. If you want to do pdo it's the same idea here is a basic code for one. Also note that you need to watch out for other security threats like cross site scripting which prepared statements don't handle.
Code:
//Connect to the database
//host, database, user, password
$db = new PDO("mysql:host=localhost;dbname=someDatabase", "root","");

//First grab your values from a form as you normally would
$title = $_POST['title'];
$description = $_POST['description'];

//Now the prepared statement
//Do an insert on the product tables, going to insert a title and description
//Instead of questions marks you could also put VALUES(:title, :description) this is called named parameters
$newProduct = $db->prepare("INSERT INTO products(title, description) VALUES(?,?)"); 

//Binds our title to whatever is held in the $title var, the 1 represents it being the first '?' in the VALUES
$newProduct ->bindValue(1, $title);
//Or if you if want to use named parameters
$newProduct->bindValue(':title', $title);

 //Same as for setting a title except it is now for the second ?
$newProduct ->bindValue(2, $description);

 //This will run our statement and write to the database
$newProduct ->execute();

//From here you'd do what you'd normally do in your code

Edited by the_dude - 3/23/13 at 8:22am
My System
(16 items)
 
  
CPUMotherboardGraphicsRAM
i7 920 @ Stock Asus P6T ATI HD5870 OCZ 6GB 1333mhz 
Hard DriveHard DriveOptical DriveCooling
Samsung 840 Evo Caviar Black 640GB LG DVD Drive Cm Hyper 212+ 
CoolingOSMonitorPower
Arctic Cooling Accelero Twin Turbo II Windows 7 64bit ASUS VW246H Corsair HX850 
Case
CM 690 II Adavanced 
  hide details  
Reply
My System
(16 items)
 
  
CPUMotherboardGraphicsRAM
i7 920 @ Stock Asus P6T ATI HD5870 OCZ 6GB 1333mhz 
Hard DriveHard DriveOptical DriveCooling
Samsung 840 Evo Caviar Black 640GB LG DVD Drive Cm Hyper 212+ 
CoolingOSMonitorPower
Arctic Cooling Accelero Twin Turbo II Windows 7 64bit ASUS VW246H Corsair HX850 
Case
CM 690 II Adavanced 
  hide details  
Reply
post #3 of 3
Thread Starter 
thanks. that was really helpful smile.gif
    
CPUMotherboardGraphicsRAM
Intel 3930K 5040MHz @ 1.48 - 1.53v @ VTT/VCCSA ... Asus rampage extreme IV Gigabyte GTX 970 G1 @ 1580/4050MHz @ 1.325V Corsair Vengeance 64GB (8 x 8GB) DDR3 2400MHz. ... 
Hard DriveHard DriveHard DriveHard Drive
Samsung 850 Pro 256GB Seagate Barracuda ST3000DM001 3TB WD Black 1TB 64Mb Cache  WD Blue 500GB 16mb Cache 
Hard DriveOptical DriveCoolingCooling
WD Black 4TB 64mb Cache LG DVD EK-FB KIT RE4 - Acetal EK-FC970 GTX WF3 Backplate - Black 
CoolingCoolingCoolingCooling
Laing D5 Vario 12V DC Pump (MCP 655)  EK-BAY SPIN Reservoir - Plexi EK-CoolStream RAD XT (240) EK-CoolStream RAD XTX (120) 
CoolingCoolingCoolingCooling
EK-CoolStream XE 120 (Single) 8x Corsair Air SP120 PWM High Performance Edition 3x Corsair Air AF120 High Performance Edition EK-Supremacy EVO CPU Water Block (Nickel Acetal) 
CoolingOSMonitorMonitor
EK-FC970 GTX WF3 - Acetal+Nickel Windows 10 64-bit v1511 build 10586.14 BenQ RL2755HM LG W2261 
MonitorKeyboardPowerCase
Samsung S23C350 Razer BlackWidow Ultimate Cooler Master Silent Pro Gold 1000W Thermaltake Level 10 GT 
Mouse
Razer Lachesis 5600DPI 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
Intel 3930K 5040MHz @ 1.48 - 1.53v @ VTT/VCCSA ... Asus rampage extreme IV Gigabyte GTX 970 G1 @ 1580/4050MHz @ 1.325V Corsair Vengeance 64GB (8 x 8GB) DDR3 2400MHz. ... 
Hard DriveHard DriveHard DriveHard Drive
Samsung 850 Pro 256GB Seagate Barracuda ST3000DM001 3TB WD Black 1TB 64Mb Cache  WD Blue 500GB 16mb Cache 
Hard DriveOptical DriveCoolingCooling
WD Black 4TB 64mb Cache LG DVD EK-FB KIT RE4 - Acetal EK-FC970 GTX WF3 Backplate - Black 
CoolingCoolingCoolingCooling
Laing D5 Vario 12V DC Pump (MCP 655)  EK-BAY SPIN Reservoir - Plexi EK-CoolStream RAD XT (240) EK-CoolStream RAD XTX (120) 
CoolingCoolingCoolingCooling
EK-CoolStream XE 120 (Single) 8x Corsair Air SP120 PWM High Performance Edition 3x Corsair Air AF120 High Performance Edition EK-Supremacy EVO CPU Water Block (Nickel Acetal) 
CoolingOSMonitorMonitor
EK-FC970 GTX WF3 - Acetal+Nickel Windows 10 64-bit v1511 build 10586.14 BenQ RL2755HM LG W2261 
MonitorKeyboardPowerCase
Samsung S23C350 Razer BlackWidow Ultimate Cooler Master Silent Pro Gold 1000W Thermaltake Level 10 GT 
Mouse
Razer Lachesis 5600DPI 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Web Coding
Overclock.net › Forums › Software, Programming and Coding › Coding and Programming › Web Coding › is mysql_real_escape_string() enough to prevent SQL injection?