php - mysql avoid sql injections

Question

I have many functions like

updateUser($id,$username,$email)
updateMusic($id, $music)

etc...

Is there a generic function to avoid SQL injections ?

I just want to avoid using mysql_real_escape_string for each parameter I have

$username = mysql_real_escape_string($username);
$email= mysql_real_escape_string($email);
$music= mysql_real_escape_string($music);

You could just put them in your function, instead of having to pass them into the params each time. — Prisoner
– Prisoner, Commented Aug 18, 2011 at 8:37
yes there is a generic function - mysql_real_escape_string() — symcbean
– symcbean, Commented Aug 18, 2011 at 9:19
This question is similar to: How can I prevent SQL injection in PHP?. If you believe it’s different, please edit the question, make it clear how it’s different and/or how the answers on that question are not helpful for your problem. — user4157124
– user4157124, Commented Jan 28 at 7:59

treecoder · Accepted Answer · 2011-08-18 08:38:01Z

3

ALWAYS use prepared statements
Do NOT use mysql driver, use mysqli or PDO

answered Aug 18, 2011 at 8:38

treecoder

45.5k23 gold badges71 silver badges96 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Jacob · Accepted Answer · 2011-08-18 08:39:41Z

2

You should use parameterization and let the database driver handle it for you, i.e. with PDO:

$dbh = new PDO('mysql:dbname=testdb;host=127.0.0.1', $user, $password); 
$stmt = $dbh->prepare('INSERT INTO REGISTRY (name, value) VALUES (:name, :value)');
$stmt->bindParam(':name', $name); 
$stmt->bindParam(':value', $value); 

// insert one row 
$name = 'one'; 
$value = 1; 
$stmt->execute();

Code from Bobby-Tables.

answered Aug 18, 2011 at 8:39

Jacob

43.6k6 gold badges81 silver badges81 bronze badges

Comments

RiaD · Accepted Answer · 2011-08-18 08:39:43Z

1

you may use,

list($id,$music) = array_map('mysql_real_escape_string',array($id,$music))

but prepared statements rocks

answered Aug 18, 2011 at 8:39

RiaD

47.8k12 gold badges85 silver badges128 bronze badges

Comments

SergeS · Accepted Answer · 2011-08-18 08:37:05Z

0

No there isn't, but you can parse all your inputs ( eg. GET and POST ) at beggining of the script

answered Aug 18, 2011 at 8:37

SergeS

11.9k3 gold badges31 silver badges35 bronze badges

1 Comment

Lightness Races in Orbit Over a year ago

"Parse" is too vague to be useful IMO.

Collectives™ on Stack Overflow

php - mysql avoid sql injections

4 Answers 4

Comments

Comments

Comments

1 Comment

Your Answer

Linked

Hot Network Questions

Collectives™ on Stack Overflow

4 Answers 4

Comments

Comments

Comments

1 Comment

Your Answer

Sign up or log in

Post as a guest

Linked

Related