Home/ Questions/Q 7551579
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T10:31:59+00:00

I am finding it necessary to work in an area that I have very

  • 0

I am finding it necessary to work in an area that I have very little knowledge in. I have to secure a website database that uses about 20 MySQL SELECT calls to supply information to website visitors. The calls all take the form of:

$leadstory = "-1";
if (isset($_GET['leadstory'])) {
  $leadstory = $_GET['leadstory'];
}

$query_News = "SELECT * FROM news WHERE lead_story = $leadstory";
$News = mysql_query($query_News, $HDAdave) or die(mysql_error());
$row_News = mysql_fetch_assoc($News);
$totalRows_News = mysql_num_rows($News);

In a previous post I asked if these SELECT statements were vulnerable to sql insertion attacks. The answer was yes as you all probably know. I have done some reading and understand that I need to use mysqli and something like the following:

$statement = $db_connection->prepare("SELECT * FROM news WHERE lead_story = ?;';");
$statement->bind_param("s", $leadstory);
$statement->execute();
$row_News = $statement->fetchAll();

I have a few questions.

  1. Do I need an “or die” type line if the connection fails?

  2. How do I assign $totalRows_News?

  3. Do I also need to “clean” the $leadstory variable with mysql_real_escape_string?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Using PDO would make your life so much easier

    $pdo = new PDO(...);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$stmt = $pdo->prepare('SELECT * FROM news WHERE lead_story = ?');
$stmt->bindParam(1, $leadStory);
$stmt->execute();

$allRows_News = $stmt->fetchAll();
$totalRows_News = count($allRows_News);
    • 0