php - Simple way to change mysql_query() to MySQLi or PDO or more secure method? -
this question has answer here:
- how can prevent sql injection in php? 28 answers
i'm pretty new php , trying learn more in area of making forms secure db more difficult mess via sql injection , such. current web programmer/php guy @ our company quit short notice boss has placed me in php programmers position temporarily single week of training under previous programmer (i lots of html , css work, no php prior), until can find real replacement.
anyways, read using mysql_query()
depreciated function , should avoided because method vulnerable. see 2 options use pdo or mysqli. being new php, i'm having trouble figuring out need convert code using (which sends info request quote form on site , stores in database incase of email troubles) more secure method of sending data database via pdo or mysqli.
the current line of code i'm using is:
$query = mysql_query("insert request_for_quote(rfq_company_name, rfq_name, rfq_email, rfq_phone, rfq_end_user) values ('$rfqcompanyname', '$rfqname', '$rfqemail', '$rfqphone', '$rfqenduser')");
which powered $_post variables.
$rfqname = mysql_real_escape_string($_post['rfq_name']); $rfqemail = filter_var($_post['rfq_email'], filter_validate_email); $rfqphone = mysql_real_escape_string($_post['rfq_phone']); $rfqcompanyname = mysql_real_escape_string($_post['rfq_company_name']); $rfqenduser = mysql_real_escape_string($_post['rfq_end_user']);
now, code need to, seems extremely vulnerable database attacks, , want learn how fix that, seems examples i'm finding online aren't using setup of "insert x
,y
, , z
variables table columns values a
, b
, c
".
are there simple changes make database submission query more secure?
i had written answer form of similar question few (6) months ago can't find of now.
- search , replace.
find mysql_
, replace mysqli_
, replace ("select
... , insert after bracket ($dblinkidentifier, "select
... $var
connection db. procedural mysqli,
the initial link $dblinkidentifier
mysqli_connect()
construction because can identify several database connections each own $var
.
this procedural mysqli format/layout. if want move oo mysqli that's little more complex structurally, better overall.
Comments
Post a Comment