Difference between revisions of "PHP/MySQL"
From dbawiki
(→Using prepared statements to avoid SQL injection) |
(→Using prepared statements to avoid SQL injection) |
||
| Line 7: | Line 7: | ||
$dbPreparedStatement->execute(); | $dbPreparedStatement->execute(); | ||
</pre> | </pre> | ||
| + | |||
| + | Fill your boots on PDO [http://be2.php.net/book.pdo here] | ||
Revision as of 00:51, 4 January 2013
Using prepared statements to avoid SQL injection
Using this method of writing SQL removes the necessity of attempting to clean the input with mysql_real_escape_string()
$dbPreparedStatement = $db->prepare('INSERT INTO table (postId, htmlcontent) VALUES (:postid, :htmlcontent)');
$dbPreparedStatement->bindParam(':postid', $userId, PDO::PARAM_INT);
$dbPreparedStatement->bindParam(':htmlcontent', $yourHtmlData, PDO::PARAM_STR);
$dbPreparedStatement->execute();
Fill your boots on PDO here
