Home/ Questions/Q 8569823
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T18:25:32+00:00

Possible Duplicate: Best way to prevent SQL injection in PHP? This is my code

  • 0

Possible Duplicate:
Best way to prevent SQL injection in PHP?

This is my code

$user_name = "admin";
$password = "123456";
$database = "jbit";
$server = "localhost";
$id = $_POST['id'];
$db_handle = mysql_connect($server, $user_name, $password);
$db_found = mysql_select_db($database, $db_handle);

if ($db_found) {

$SQL = "SELECT * FROM jbit WHERE htno='$id'";
$result = mysql_query($SQL);
$sum = "SELECT htno, SUM(tm) AS tech, ROUND(SUM(tm)/7.5, 2) AS divi, SUM(credits) AS cred , SUM(CASE WHEN credits <= 0 THEN 1 ELSE 0 END) AS log,
SUM(CASE WHEN credits > 0 THEN 1 ELSE 0 END) AS pass, SUM(CASE WHEN em >= 0 THEN 1 ELSE 0 END) AS atm, SUM(CASE WHEN em >= -2 THEN 1 ELSE 0 END) AS tot
FROM jbit WHERE htno='$id'";
$result1 = mysql_query($sum);

Please help me in making this code secured so that i can avoid SQL Injection

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    the better approach will be

    1. mysqli_query()
    2. PDO::query()

    you can use the function below but i/we recommended you to not use function since the mysql_* now anymore maintained and updating by community .

    Its for only your knowledge only

     $id = mysql_prep($_POST['id']);


function mysql_prep($value)
{
    $magic_quotes_active = get_magic_quotes_gpc();
    $new_enough_php = function_exists("mysql_real_escape_string"); // i.e. PHP >= v4.3.0
    if ($new_enough_php) { // PHP v4.3.0 or higher
        // undo any magic quote effects so mysql_real_escape_string can do the work
        if ($magic_quotes_active) {
            $value = stripslashes($value);
        }
        $value = mysql_real_escape_string($value);
    } else { // before PHP v4.3.0
        // if magic quotes aren't already on then add slashes manually
        if (!$magic_quotes_active) {
            $value = addslashes($value);
        }
        // if magic quotes are active, then the slashes already exist
    }
    return  $value ;
}

    Good read

    Best way to prevent SQL injection in PHP?

    • 0