Community Learn Tools Library Leisure
search
English
Home > Backend Development > PHP Tutorial > How Can I Safely Include PHP Variables in MySQL Statements?

How Can I Safely Include PHP Variables in MySQL Statements?

Barbara Streisand
Release: 2024-12-25 08:10:29
Original
266 people have browsed it

How Can I Safely Include PHP Variables in MySQL Statements?

Including PHP Variables in MySQL Statements

You encounter an issue when inserting values into a table using a PHP variable within your VALUES statement. Understanding the proper approach for integrating PHP variables into MySQL statements is crucial.

Utilize Prepared Statements

Inserting data literals (SQL strings or numbers) into MySQL statements requires the use of prepared statements. It involves:

  1. Replacing variables with placeholders in your SQL statement
  2. Preparing the revised query
  3. Binding variables to placeholders
  4. Executing the query

Adding Data Literals with Mysqli

In PHP 8.2, these steps can be combined into a single call:

$type = 'testing';
$reporter = "John O'Hara";
$sql = "INSERT INTO contents (type,reporter,description) VALUES ('whatever',?,?)";
$mysqli->execute_query($sql, [$reporter, $description]);
Copy after login

For older PHP versions:

$type = 'testing';
$reporter = "John O'Hara";
$sql = "INSERT INTO contents (type,reporter,description) VALUES ('whatever',?,?)";
$stmt = $mysqli->prepare($sql);
$stmt->bind_param("ss", $reporter, $description);
$stmt->execute();
Copy after login

Adding Data Literals with PDO

PDO offers a streamlined approach:

$type = 'testing';
$reporter = "John O'Hara";
$sql = "INSERT INTO contents (type,reporter,description) VALUES ('whatever',?,?)";
$stmt = $pdo->prepare($sql);
$stmt->execute([$reporter, $description]);
Copy after login

Filter Variables for Other Query Parts

Variables representing query parts other than literals (keywords, identifiers) should be filtered through a whitelist. This prevents the insertion of unintended values.

For example, to filter a field name based on user input:

$orderby = $_GET['orderby'] ?: "name"; // set the default value
$allowed = ["name", "price", "qty"]; // the white list of allowed field names
$key = array_search($orderby, $allowed, true); // see if we have such a name
if ($key === false) { 
    throw new InvalidArgumentException("Invalid field name"); 
}
Copy after login

The above is the detailed content of How Can I Safely Include PHP Variables in MySQL Statements?. For more information, please follow other related articles on the PHP Chinese website!

source:php.cn
Previous article:How Does PHP Convert Strings to Numbers Using Type Casting? Next article:How to Run Shell Scripts Asynchronously in PHP Without Blocking Execution?
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Latest Issues
function_exists() cannot determine the custom function Function test () {return true;} if (function_exists ('test')) {echo "test is function...
From 2024-04-29 11:01:01
0
3
2312
How to display the mobile version of Google Chrome Hello teacher, how can I change Google Chrome into a mobile version?
From 2024-04-23 00:22:19
0
11
2447
The child window operates the parent window, but the output does not respond. The first two sentences are executable, but the last sentence cannot be implemented.
From 2024-04-19 15:37:47
0
1
2063
There is no output in the parent window document.onclick = function(){ window.opener.document.write('I am the output of the child ...
From 2024-04-18 23:52:34
0
1
1949
Where is the courseware about CSS mind mapping? Courseware
From 2024-04-16 10:10:18
0
0
2014
Related Topics
More>
Popular Recommendations
Popular Tutorials
More>
Related Tutorials
Popular Recommendations
Latest courses
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template