Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Is the code safe from mysql injections?



11:47 am on Feb 9, 2013 (gmt 0)

Is the code safe from mysql injections?
Possibly some mistakes in code?
The code is working... i only want to know possibly some mistakes, etc....

connect to database
$mysqli = new mysqli($dbhost, $dbuser, $dbpass, $dbname);

somewhere read that set character is necessary for security

get users's post email
$email= $mysqli->real_escape_string($_POST['email']);

get corresponding values from columns email, username and confirmationCode (if users enters already registered email, get corresponding values (within the row))
if ($stmt = mysqli_prepare($mysqli, "SELECT email, username, confirmationCode FROM $create_new_table WHERE email = ? ")) {

as i understand this passes users's entered email to value that must be used to check values in mysql?
$stmt->bind_param('s', $email);

execute query

? stores what result? if users's entered email matches email in mysql?

can not fully understand... bind results... what is the difference from bind_param?
$stmt->bind_result($email, $username, $confirmationCode);

get results from mysql?

here inform visitor if email is already registered
elseif( (strlen($_POST['email']) > 0) and ($stmt->num_rows > 0) ) {
$error .= '<font color="#FF0000">The email is already registered. Please, choose other email or <a href="reset-password.php">reset password</a>.


12:09 pm on Feb 9, 2013 (gmt 0)

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

Looks ok on first look, but if you use prepared statements, there is no need to use mysqli::real_escape_string on the parameters that you include in the SQL query via the "?" (as bind parameter).

Actually I'm convinced it's better not to do it a it means that you store the escaped strings is you use it in a insert or update statement.

I don't believe it's productive in this example to use mysqli::store_result : it transfers the results to memory. You need it if you want to loop through results and do other queries while iterating over the results.

mysqli::bind_result is used to tell where the columns in the result of a select should go
mysqli::bind_param is used to tell which variable is to replace the "?" in the prepared statement

UTF-8: make sure to get everything else in UTF-8 as well (the html, the database, the fields in the database, ...)


12:24 pm on Feb 9, 2013 (gmt 0)

Thank you for information.
As i understand the main part that prevents sql injection is
WHERE email = ? and then $stmt->bind_param('s', $email);
if instead of ? would be $email then prepared statemnt would not prevent sql injection...


1:31 pm on Feb 9, 2013 (gmt 0)

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member


Featured Threads

Hot Threads This Week

Hot Threads This Month