Difference between revisions of "PHP/MySQL"
From dbawiki
(Created page with "===Using prepared statements to avoid SQL injection=== <pre> $dbPreparedStatement = $db->prepare('INSERT INTO table (postId, htmlcontent) VALUES (:postid, :htmlcontent)'); $db...") |
(→Using prepared statements to avoid SQL injection) |
||
| Line 1: | Line 1: | ||
===Using prepared statements to avoid SQL injection=== | ===Using prepared statements to avoid SQL injection=== | ||
| + | Using this method of writing SQL removes the necessity to attempt to clean the input with mysql_real_escape_string() | ||
<pre> | <pre> | ||
$dbPreparedStatement = $db->prepare('INSERT INTO table (postId, htmlcontent) VALUES (:postid, :htmlcontent)'); | $dbPreparedStatement = $db->prepare('INSERT INTO table (postId, htmlcontent) VALUES (:postid, :htmlcontent)'); | ||
Revision as of 22:52, 30 December 2012
Using prepared statements to avoid SQL injection
Using this method of writing SQL removes the necessity to attempt to clean the input with mysql_real_escape_string()
$dbPreparedStatement = $db->prepare('INSERT INTO table (postId, htmlcontent) VALUES (:postid, :htmlcontent)');
$dbPreparedStatement->bindParam(':postid', $userId, PDO::PARAM_INT);
$dbPreparedStatement->bindParam(':htmlcontent', $yourHtmlData, PDO::PARAM_STR);
$dbPreparedStatement->execute();
