Parameterized queries in PHP with MySQL connection

前端未结

关注

 2  1251

I\'ve read about SQL injection so I tried it with my site and of course it worked.. I know that the solution is parameterized queries and I also know that there are a lot of

相关标签:

2条回答

伪装坚强ぢ

2020-12-07 02:39
use:
```
$userPass = mysqli_real_escape_string($mysqli,$_POST["password"]);
```
This block the '' or '=' thing thing :) where $mysqli is your connection string ofc.
0 讨论(0)
发布评论:

提交评论
- 加载中...

感情败类

2020-12-07 02:45

Here you go

$stmt = mysqli_prepare($dbc, "SELECT * FROM users WHERE username = ? AND password = ?");
mysqli_stmt_bind_param($stmt, "s", $userName);
mysqli_stmt_bind_param($stmt, "s", $userPass);
mysqli_stmt_execute($stmt);
$row = mysqli_stmt_fetch($stmt);

Documentation

As side note i would reccomend to encrypt your password or better use hash for security, it's not good to store password as plain text

0 讨论(0)