Home/ Questions/Q 648303
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T21:49:02+00:00

Possible Duplicate: Best way to stop SQL Injection in PHP I have seen some

  • 0

Possible Duplicate:
Best way to stop SQL Injection in PHP

I have seen some of examples that use something called a PDO to make a query safe from sql-infection, or others that use real_escape, but they all seem to be incomplete or assume some knowledge. So I ask, take this simple update query and make it safe from sql-injection.

function updateUserName($id,$first,$last)
{
    $qry = 'UPDATE user SET first = "'.$first.'", last = "'.$last.'" WHERE id = '.$id;
    mysql_query($qry) or die(mysql_error());
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Basically, you have to :

    Which, in your specific case, would give something like this :

    $qry = 'UPDATE user SET first = "'
    . mysql_real_escape_string($first)
    . ' ", last = "'
    . mysql_real_escape_string($last)
    . '" WHERE id = '
    . intval($id);

    Of course, this is considering that last and first are varchar, and that id is an integer.

    As a sidenote : when an SQL error (this is also true for whatever kind of error you can thing about) occurs, you should not display a technical error message and just let the script die.

    Your users will not understand that technical error message — they won’t know what to do with it, and it’s not their problem.

    Instead, you should log (to a file, for instance) that technical error message, for your own usage ; and display a nice “oops an error occured” page to the user.

    • 0