Properly sanitize multiple user inputs using mysqli

Question

Properly sanitize multiple user inputs using mysqli

I am currently using mysqli and I want to properly sanitize every user input. I am looking for the easiest easy way to do this, since I understand that Im should NOT use mysql_real_escape ....

my request looks like this

$stmt = $sql->prepare("INSERT INTO Persons (msg, ip, time, main, twit, city, lat, lon, lang)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)");

since I understand that I have to use the bindParam function ... If I use it that way, am I sure I provide my user inputs?

$stmt->bind_param('sssssssss', $_POST[msg], ('$ip'), ('$date'), '$_POST[main]', '$_POST[twit]',  ('$cit'), ('$lat'), ('$lon'), '$_POST[lang]');
$stmt->execute();
$stmt->close();

If this does not protect my user inputs, how to do it right?

+5

security php mysqli bind

uneducatedguy Apr 25 '13 at 7:01

source share

2 answers

, PHP

'$_POST[msg]' $_POST[msg], $_POST ['msg'].

0

Your Common Sense 25 . '13 7:58

Dave · Accepted Answer · 2013-04-25T07:06:42+0000

You need to prepare the expression for security. Something like below (maybe not 100%, but gives you an idea)

 $sql = new mysqli("localhost", "my_user", "my_password", "world");


    $stmt = $sql->prepare("INSERT INTO Persons (msg, ip, time, main, twit, city, lat, lon, lang)
        VALUES
        (?, ?, ?, ?, ?, ?, ?, ?, ?)");
        $stmt->bind_param("sssssssss",$_POST[msg], $ip, $date, $_POST[main], $_POST[twit],  $cit, $lat, $lon, $_POST[lang]);
    $stmt->execute();

Properly sanitize multiple user inputs using mysqli

More articles: