Bit of a hot topic lately in my inbox. Here’s what an old, vulnerable query might look like: $expected_data = 1; $query = “SELECT * FROM users where id=$expected_data”; $result = $mysqli->query($query); The problem here is we’re injecting user-submitted data directly into our SQL statement without any sort of escaping or validation. So, a hacker could enter something like this in our form: 1; DROP TABLE users; Changing our full query to: SELECT * FROM users where id=1; DROP TABLE users; Which, as you can probably see, will execute the SELECT statement but then drop our users table. No bueno.
Prepared statements are all the rage right now in PHP development… and for good reason. Not only do prepared statements make your queries more secure… they also help future-proof your code by relying more heavily on PHP itself for that security. If you’re not using prepared statements in your queries, you really should be. Here’s a simple class that helps you do just that using MySQLi: I recommend walking through this code and unraveling how it all comes together. There are a few gotchas when using prepared statements in a dynamic way like this. Or you could just check out
Graham recently asked me: Do I still need to used mysqli_real_escape_string when used prepared statements in PHP? The simple answer is no. The way it used to work is that you would take form input data, put that into a variable, and inject that data into your MySQL query in order to add that data to the database. Now, a big problem with that is SQL Injection attacks where a hacker could inject SQL code into your query and perform actions on your database… which is something you definitely don’t want. So, the standard solution became using mysql_real_escape_string to sanitize
The simple secrets to high-paying freelance clients
What makes clients willing to pay $5,000, $10,000 even $20,000 and up for your services? Download and install my mobile app and I’ll show you. It’s free. Just click the button below:
WHAT OTHERS ARE SAYING
I’m a fan. I have completed several of John’s courses. I find him very knowledgeable and he has a great delivery.
John has a particular knack for the development and training of others.
Not only is John a very talented programmer and developer, he is also an excellent communicator. He has a talent for taking complex subjects and communicating them in terms that anyone can understand. This is a rare combination. This ability has enabled me to take my skills and knowledge to the next level. Thank you John for for all that you do.
John did an outstanding job on my project. I highly recommend him and look forward to working with him on future projects.
Very professional worker who is extremely knowledgable in WordPress and Wishlist Member. I would definitely hire again.
John has a relaxed and engaging manner. His advice is solid and the explanations are well thought out.
John and I have worked together on numerous projects. John is very quick and efficient and was a pleasure to work with.
John is an excellent teacher.
John is a man of integrity, who gives generously of himself to projects and people he cares about.
John Morris is exceptional in his ability to give focused insight into Freelancing and starting one’s business. His direct methods inspire confidence in his honesty.
John really delivers!
John is amazing at building membership sites. He converted one of my sites over from it’s existing (hardly working) platform over to the clean and simple to use WishList membership platform. I highly recommend using John and WishList for any of your membership site needs.
John has a habit of over-delivering on the expectations he sets up. That’s why he’s the best.
John has provided expert knowledge and advice on multiple occasions that have helped me better serve my clients. John is a Rockstar!