php - Simple way to change mysql_query() to MySQLi or PDO or more secure method? -


this question has answer here:

i'm pretty new php , trying learn more in area of making forms secure db more difficult mess via sql injection , such. current web programmer/php guy @ our company quit short notice boss has placed me in php programmers position temporarily single week of training under previous programmer (i lots of html , css work, no php prior), until can find real replacement.

anyways, read using mysql_query() depreciated function , should avoided because method vulnerable. see 2 options use pdo or mysqli. being new php, i'm having trouble figuring out need convert code using (which sends info request quote form on site , stores in database incase of email troubles) more secure method of sending data database via pdo or mysqli.

the current line of code i'm using is:

    $query = mysql_query("insert request_for_quote(rfq_company_name, rfq_name, rfq_email, rfq_phone, rfq_end_user) values ('$rfqcompanyname', '$rfqname', '$rfqemail', '$rfqphone', '$rfqenduser')"); 

which powered $_post variables.

                $rfqname = mysql_real_escape_string($_post['rfq_name']);                 $rfqemail = filter_var($_post['rfq_email'], filter_validate_email);                 $rfqphone = mysql_real_escape_string($_post['rfq_phone']);                 $rfqcompanyname = mysql_real_escape_string($_post['rfq_company_name']);                 $rfqenduser = mysql_real_escape_string($_post['rfq_end_user']); 

now, code need to, seems extremely vulnerable database attacks, , want learn how fix that, seems examples i'm finding online aren't using setup of "insert x,y, , z variables table columns values a, b, c".

are there simple changes make database submission query more secure?

i had written answer form of similar question few (6) months ago can't find of now.

  • search , replace.

find mysql_ , replace mysqli_, replace ("select... , insert after bracket ($dblinkidentifier, "select... $var connection db. procedural mysqli,

the initial link $dblinkidentifier mysqli_connect() construction because can identify several database connections each own $var.

this procedural mysqli format/layout. if want move oo mysqli that's little more complex structurally, better overall.


Comments

Popular posts from this blog

css - SVG using textPath a symbol not rendering in Firefox -

Java 8 + Maven Javadoc plugin: Error fetching URL -

datatable - Matlab struct computations -