homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

Is the code safe from mysql injections?

 11:47 am on Feb 9, 2013 (gmt 0)

Is the code safe from mysql injections?
Possibly some mistakes in code?
The code is working... i only want to know possibly some mistakes, etc....

connect to database
$mysqli = new mysqli($dbhost, $dbuser, $dbpass, $dbname);

somewhere read that set character is necessary for security

get users's post email
$email= $mysqli->real_escape_string($_POST['email']);

get corresponding values from columns email, username and confirmationCode (if users enters already registered email, get corresponding values (within the row))
if ($stmt = mysqli_prepare($mysqli, "SELECT email, username, confirmationCode FROM $create_new_table WHERE email = ? ")) {

as i understand this passes users's entered email to value that must be used to check values in mysql?
$stmt->bind_param('s', $email);

execute query

? stores what result? if users's entered email matches email in mysql?

can not fully understand... bind results... what is the difference from bind_param?
$stmt->bind_result($email, $username, $confirmationCode);

get results from mysql?

here inform visitor if email is already registered
elseif( (strlen($_POST['email']) > 0) and ($stmt->num_rows > 0) ) {
$error .= '<font color="#FF0000">The email is already registered. Please, choose other email or <a href="reset-password.php">reset password</a>.



 12:09 pm on Feb 9, 2013 (gmt 0)

Looks ok on first look, but if you use prepared statements, there is no need to use mysqli::real_escape_string on the parameters that you include in the SQL query via the "?" (as bind parameter).

Actually I'm convinced it's better not to do it a it means that you store the escaped strings is you use it in a insert or update statement.

I don't believe it's productive in this example to use mysqli::store_result : it transfers the results to memory. You need it if you want to loop through results and do other queries while iterating over the results.

mysqli::bind_result is used to tell where the columns in the result of a select should go
mysqli::bind_param is used to tell which variable is to replace the "?" in the prepared statement

UTF-8: make sure to get everything else in UTF-8 as well (the html, the database, the fields in the database, ...)


 12:24 pm on Feb 9, 2013 (gmt 0)

Thank you for information.
As i understand the main part that prevents sql injection is
WHERE email = ? and then $stmt->bind_param('s', $email);
if instead of ? would be $email then prepared statemnt would not prevent sql injection...


 1:31 pm on Feb 9, 2013 (gmt 0)


Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved