User inputs, clean and sanitize before sending to db

Question

I\'ve searched a lot of the questions here and I found that they either very old or suggesting using prepared statements PDO which I am not

Answer 1

You also have another option. You can use prepared statements with mysqli

They aren't very difficult to learn and work a bit better than mysqli_real_escape_string() in that you don't need to worry about escaping every single variable that will be in your query. They are by nature "prepared" before they go into the database. There are other advantages to this as well, in that:

1. you do not need to addslashes() to be able to handle characters with apostrophes etc.

2. for large databases, they will considerably speed up your queries (much like PDO).

Here's how to do it:

You connect to the database by creating a new mysqli object like this:

$conn = new mysqli($host, $username, $password, $dbname);

if ($conn->connect_error) {
    die("Connection failed: " . $dbc->connect_error);
    }

Next you want to convert your variables from your form.

Say you have a form field like this:

you can use htmlentities and trim together like so, and create your $var1 variable:

$var1 = htmlentities(trim($_POST['var1']));

Then you can create your transaction like this:

$stmt= $conn->prepare("insert into tablename (key1, key2) values (?,?)");
$stmt->bind_param("is",$var1, $var2);
$stmt->execute();
$stmt->close();

That's basically it. You do a query just like you normally would, but instead use the ? placeholders, assigning the datatype (above is i for integer, and s for string) and then bind them to your placeholders in the query.

That's basically it.

if you want to do it with a select with a variable, you use the normal select syntax and the same way with a ? with the variable, and then bind it. You can then bind your results into variables easily like so (assuming var3 is an integer):

$stmt= $conn->prepare("select var1, var2  from tablename where var3 = ?");
$stmt = bind_param("i", $var3);
$stmt->bind_result($var1, $var2);
$stmt->execute();
$stmt->close()

and then you can fetch your variables using this

$stmt->fetch();

or if your query brings back multiple rows

while ($stmt->fetch() {
    echo $var1 . $var2;
}

nl2br() is used for output, you don't need to worry about input; it can be stored in the database as \n, and when you need it spits it out as breaks. If one of these variables needs the new lines turned into
tags, you can, as you suggest use nl2br() on the variables (note this adds no security, but as you said you needed it), like so

echo nl2br($var1, false);

you can also use trim() and htmlentities() on this if it is being echoed into, say, a form input field and you don't want your form to break if there are html characters in the output.