sql-injection

I am trying to set up PHP queries for MySQL in a way to prevent SQL injection (standard website). I had a couple of INSERT queries where changing this worked well but on the following SELECT I keep getting an error since the update and it looks like the while loop doesn't work with the changes I made (it works well without using the statement as in the old code). Can someone tell me what I am doing wrong here ? New PHP: $stmt = $conn->prepare("SELECT ? FROM TranslationsMain WHERE location LIKE '%calendar weekday%' ORDER BY sortOrder, ?"); $stmt->bind_param('s', $selectedLang); $stmt->execute()

I read so many articles saying that using prepared statements is very secure and good to prevent SQL injections. I built a few websites without using prepared statements. But after read all those articles, I am thinking to change whole codes using prepared statements. My Question Is it necessary to use prepared statements always? or is there any scenario whereby normal statement will be sufficient over prepared statements? Non-prepared statements are sufficient if you have an SQL query that is entirely hard-coded, and needs no PHP variables in the SQL. Here's an example: $result = $mysqli-

Sorry for ask here but I cannot found much reference about pymysql's security guide about how do we prevent sql injection, When I do PHP develope I know use mysql preparedstatement(or called Parameterized Query or stmt),but I cannot found reference about this in pymysql simple code use pymysql like sqls="select id from tables where name=%s" attack="jason' and 1=1" cursor.execute(sqls,attack) How do I know this will prevent sql injection attack or not?if prevent succeed,how do pymysql prevent?Is cursor.execute already use preparedstatement by default? Python drivers do not use real query

Ok, So, i'm a little unsure on this. I have a url parameter username . and I have this statement SELECT * FROM users WHERE user_hash = md5($_GET['username']) Is this secure? Upon account creation an md5 hashed version of the username and the password are stored. I'm confused as this seems so simple, if md5 stops sql injection why isn't username and password always saved in hash form? Yes, this will avoid SQL injection, because md5() always returns a string of hex code. But it isn't a general solution to SQL-injection. You would have to encode almost all the data in your tables in MD5 format.

I have pages that only display data from DB tables, the php pages only display the information they don't have any buttons, links, drop down menus, or forms. Im using the old mysql and not the mysqli or PDO for syntax Can I still get a SQl injection hack? In order for SQL Injection to work, they need a way to send SQL Code to your server, as there is no input, it is in theory impossible for them to Inject SQL. (Although I am not an expert in the subject) I would still recommend you to use a framework like mysqli or PDO, you should familiarize yourself with such frameworks as they became the

I'm familiar with prepared statements and I know that they are best practice when it comes to protecting against MySQL injection. But I'm wondering how this PHP/MySQL statement could be at risk of an injection attack: $result = mysqli_query($db,"SELECT name FROM users WHERE id = '".$_POST['name']."';"); It seems to me like the input from the user would be contained inside the single quotes. Can you execute more than one query in one mysqli_query statement? Also, is making the above safe just as easy as this... $result = mysqli_query($db,"SELECT name FROM users WHERE id = '".mysqli_real_escape