Hi,

I wonder what is the best way to prevent injection against user input. There are a lot of examples but one say "magic_quotes_gpc" is good but removed from PHP soon. Therefore, no point of using it. Another says "mysql_real_escape_string and addslashes" just used to clean iptuts. Etc etc.

I am confused what to realy use. Can anyone make code below best practice plase.

Thanks in advance

<?php
$uid=$_POST["username"];
$psw=$_POST["password"];

$query="SELECT * FROM mytable WHERE uid='$uid' AND psw=sha1('$psw')";

$runit=mysql_query($query);
?>

Edited 3 Years Ago by mike_2000_17: Fixed formatting

The best way to go is to use prepared statements - you can read why here, there's a good example:

{snipped}

and more about SQL Injection here:

{snipped}

Edited 4 Years Ago by diafol: Plugging a website on a v. old thread

Hi,

I agree with others that PDO/Prepared Statements are the way forward.

I only started learning PDO for about two weeks and even thou it can be a little confusing to begin with it's well worth the learning curve, i am now and already using PDO and it makes mysql look ancient in comparison and much cleaner code.

I learnt it by searching Google and i did buy a book which i would highly recommend. It's for Beginners but covers everything you need to know, it takes you through by a building a simple application and as the book goes on further you make alterations to the application. They book is well worth the money if you can afford it and not like many other books that jump to quickly without much explanation. This books explains in good detail and with good examples plus the benefit of learning to build a simple application to get you understanding and learning PDO to it's full advantage. The book is caled Learning PHP Data Objects Heres a link to the Amazon UK site for the book. This book can get you understanding and learning PDO very quickly and is easy to follow along with.

All the Best,
phplover

This article has been dead for over six months. Start a new discussion instead.