Possible Duplicate:
How can I prevent SQL injection in PHP?
This is the example on w3schools.org:
HTML form:
<html>
<body>
<form action="insert.php" method="post">
Firstname: <input type="text" name="firstname" />
Lastname: <input type="text" name="lastname" />
Age: <input type="text" name="age" />
<input type="submit" />
</form>
</body>
</html>
File insert.php:
<?php
$con = mysql_connect("localhost","peter","abc123");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("my_db", $con);
$sql="INSERT INTO Persons (FirstName, LastName, Age)
VALUES
('$_POST[firstname]','$_POST[lastname]','$_POST[age]')";
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "1 record added";
mysql_close($con)
?>
I’ve read through other questions on here, but I couldn’t find a direct answer, as most were much more complicated.
I looked at How can I prevent SQL injection in PHP?, but I’m a bit confused on how to modify this:
$preparedStatement = $db->prepare('INSERT INTO table (column) VALUES (:column)');
$preparedStatement->execute(array(':column' => $unsafeValue));
Assuming I used the HTML form above and wanted to insert the data from field ‘firstname’ into the database, should it look like this? Or am I supposed to modify column?:
$preparedStatement = $db->prepare('INSERT INTO table (column) VALUES (:column)');
$preparedStatement->execute(array(':column' => $firstname));
The example you provided inserts the post vars into the database without first analyzing them for evil user input. Use type casting, escaping/filter functions, prepared statements etc. before using them to interact with your DB.
A general rule to go by is to never trust user input. EVER!
Check out: Best way to stop SQL Injection in PHP
In response to your question, here is how you’d handle the entire form using PDO prepared statements.
If you just want to insert one column in the record like you asked, the syntax would be: