this question has answer here:
- how can prevent sql injection in php? 28 answers
i having issues whenever put ' in text on page updates database,
$query = "update news set news1_title='$news1_title', news1_info='$news1_info', news1_body='$news1_body', news2_title='$news1_title', news2_info='$news2_info', news2_body='$news2_body' id=1";
as cuts off , ends throwing text code.
is there way can add things safely, know can use ' when shows in page returns ' , have update them every time ' otherwise errors.
thanks.
you need not directly accept user input query. huge sql vulnerability. where 1=1; drop database;
, delete of information.
instead, consider using prepared statements have data sanitized in safe , automatic way. let's @ oop implementation:
$ret = array(); try{ $mysqli = new mysqli('host', 'user', 'pass', 'db'); $stmt = $mysqli->prepare('update news set news1_title = ?, news1_info = ?, news1_body = ?, news2_title = ?, news2_info = ?, news2_body = ? id = 1'); $stmt->bind_param('ssssss', $news1_title, $news1_info, $news1_body, $news1_title, $news1_info, $news1_body); $stmt->execute() == true; $ret['status'] = 1; $ret['msg'] = 'successfully updated!'; } catch (exception $e ) { $ret['status'] = 0; $ret['msg'] = $e->message; } echo $ret['msg'];
by preparing , binding, we've sanitized our data , no longer face issues you've described above.
Comments
Post a Comment