1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 10:58 pm Apr 27, 2026

Forum Moderators: coopster

Message Too Old, No Replies

Is the code safe from mysql injections?

         

rigaconnect

11:47 am on Feb 9, 2013 (gmt 0)

10+ Year Member



Is the code safe from mysql injections?
Possibly some mistakes in code?
The code is working... i only want to know possibly some mistakes, etc....

connect to database
$mysqli = new mysqli($dbhost, $dbuser, $dbpass, $dbname);

somewhere read that set character is necessary for security
$mysqli->set_charset('utf8');

get users's post email
$email= $mysqli->real_escape_string($_POST['email']);

get corresponding values from columns email, username and confirmationCode (if users enters already registered email, get corresponding values (within the row))
if ($stmt = mysqli_prepare($mysqli, "SELECT email, username, confirmationCode FROM $create_new_table WHERE email = ? ")) {

as i understand this passes users's entered email to value that must be used to check values in mysql?
$stmt->bind_param('s', $email);

execute query
$stmt->execute();

? stores what result? if users's entered email matches email in mysql?
$stmt->store_result();


can not fully understand... bind results... what is the difference from bind_param?
$stmt->bind_result($email, $username, $confirmationCode);

get results from mysql?
$stmt->fetch();


here inform visitor if email is already registered
elseif( (strlen($_POST['email']) > 0) and ($stmt->num_rows > 0) ) {
$error .= '<font color="#FF0000">The email is already registered. Please, choose other email or <a href="reset-password.php">reset password</a>.
</font>';

swa66

12:09 pm on Feb 9, 2013 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Looks ok on first look, but if you use prepared statements, there is no need to use mysqli::real_escape_string on the parameters that you include in the SQL query via the "?" (as bind parameter).

Actually I'm convinced it's better not to do it a it means that you store the escaped strings is you use it in a insert or update statement.

I don't believe it's productive in this example to use mysqli::store_result : it transfers the results to memory. You need it if you want to loop through results and do other queries while iterating over the results.

mysqli::bind_result is used to tell where the columns in the result of a select should go
mysqli::bind_param is used to tell which variable is to replace the "?" in the prepared statement


UTF-8: make sure to get everything else in UTF-8 as well (the html, the database, the fields in the database, ...)

rigaconnect

12:24 pm on Feb 9, 2013 (gmt 0)

10+ Year Member



Thank you for information.
As i understand the main part that prevents sql injection is
WHERE email = ? and then $stmt->bind_param('s', $email);
if instead of ? would be $email then prepared statemnt would not prevent sql injection...

swa66

1:31 pm on Feb 9, 2013 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



correct
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 10:58 pm Apr 27, 2026