0

Can someone give me a little help with this? i have three PHP SQL querys, and i have to protect from SQL Injection. I am searching on google but i think is too hard for me, because it's combinated with PHP and i dont know munch about PHP and lees about SQL

if someone can give me the code protected I'll be grateful

the code:

$q=mysql_query("SELECT * FROM user where email= '".$_REQUEST['email']."'",$link );

$q=mysql_query("UPDATE user SET mobilePhone='".$_REQUEST['mobilePhone']."', fullName='".$_REQUEST['fullName']."' WHERE email='".$_REQUEST['email']."'",$link );

$q=mysql_query("UPDATE user SET mobilePhone='".$_REQUEST['mobilePhone']."' , fullName='".$_REQUEST['fullName']."', password='".$_REQUEST['password']."'  WHERE email='".$_REQUEST['email']."'",$link );
Improve this question
1

3 Answers 3

Reset to default
2

Well, the simple way would be to wrap each of the $_REQUEST vars in mysql_real_escape_string()...

$q=mysql_query("SELECT * FROM user 
    where email= '".mysql_real_escape_string($_REQUEST['email'])."'",$link );

The better way would be to use prepared queries. There are plenty of tutorials available on how to do it, so I'll leave that to you...

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

The least you can do to prevent SQL injection is to use mysql_real_escape_string function before any variables that go into your queries.

The best you can do is to use prepared statements to avoid SQL injection.

The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible).

Suggestion:

To be further on safer side, you should always use proper array eg $_POST or $_GET instead of $_REQUEST for security reasons.

Improve this answer

Comments

1

Take a look at PHP's mysql_real_escape_string

Improve this answer

3 Comments

prepared statements with placeholders are a much better practice.
+1 as while prepared statements are better, that doesn't mean using mres is a bad thing. You're still safe...
@ircmaxell nothing bad in mres, if used wisely. And a fool (loke OP) would fail with prepared. A brain is the only necessary thing, and the rest is optional.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.