I have long used the mysql_query() to do my stuff but now I am shifting to prepared statements for two reasons:
performance and no sql injection possibility
This is how I am using it:
function add_new_user($e_mail1,$username,$pass)
{
require_once "db.php";
$stmt = $mysqli->prepare("INSERT INTO un_users VALUES ('',?, ?,0,0,?,0)");
$stmt->bind_param('sss', $e_mail1, $username,$pass);
$stmt->execute();
$stmt->close();
}
I am not sanitizing the three variables ($e_mail1,$username,$pass)
when i pass them to the function or anything else.
Am I doing it the correct way or did I screw up somewhere or need to do something else? I'm a newbie with this (still going through the docs) so feel free to shower your knowledge :D
Thanks!
Wikipedia says: Prepared statements are resilient against SQL injection, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.
A prepared statement is a parameterized and reusable SQL query which forces the developer to write the SQL command and the user-provided data separately. The SQL command is executed safely, preventing SQL Injection vulnerabilities.
What is PHP SQL Injection? When an attacker exploits a PHP application via an SQL Injection, they can gain access to the application's database and make the application execute unauthorized injected SQL commands to control the behavior of the application.
Yes, you are doing it correctly.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With