Difference between revisions of "PHP/MySQL"
From dbawiki
(→Using prepared statements to avoid SQL injection) |
(→Using prepared statements to avoid SQL injection) |
||
| Line 1: | Line 1: | ||
===Using prepared statements to avoid SQL injection=== | ===Using prepared statements to avoid SQL injection=== | ||
| − | Using this method of writing SQL removes the necessity | + | Using this method of writing SQL removes the necessity of attempting to clean the input with mysql_real_escape_string() |
<pre> | <pre> | ||
$dbPreparedStatement = $db->prepare('INSERT INTO table (postId, htmlcontent) VALUES (:postid, :htmlcontent)'); | $dbPreparedStatement = $db->prepare('INSERT INTO table (postId, htmlcontent) VALUES (:postid, :htmlcontent)'); | ||
Revision as of 22:52, 30 December 2012
Using prepared statements to avoid SQL injection
Using this method of writing SQL removes the necessity of attempting to clean the input with mysql_real_escape_string()
$dbPreparedStatement = $db->prepare('INSERT INTO table (postId, htmlcontent) VALUES (:postid, :htmlcontent)');
$dbPreparedStatement->bindParam(':postid', $userId, PDO::PARAM_INT);
$dbPreparedStatement->bindParam(':htmlcontent', $yourHtmlData, PDO::PARAM_STR);
$dbPreparedStatement->execute();
