PHP/MySQL

From dbawiki

Revision as of 22:52, 30 December 2012 by Stuart (talk | contribs) (→‎Using prepared statements to avoid SQL injection)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to: navigation, search

Using prepared statements to avoid SQL injection

Using this method of writing SQL removes the necessity to attempt to clean the input with mysql_real_escape_string()

$dbPreparedStatement = $db->prepare('INSERT INTO table (postId, htmlcontent) VALUES (:postid, :htmlcontent)');
$dbPreparedStatement->bindParam(':postid', $userId, PDO::PARAM_INT);
$dbPreparedStatement->bindParam(':htmlcontent', $yourHtmlData, PDO::PARAM_STR);
$dbPreparedStatement->execute();

Retrieved from "https://mailnest.com/dbawiki/index.php?title=PHP/MySQL&oldid=293"