I've been reading up on sql injection. I have been however using sqli instead of sql. It says to use the bind function
....this is the example
1. $variable = "O'Reilly";
2. // prepare the query
3. $query = $mysqli->prepare( "SELECT x, y, z FROM tablename WHERE user = ?" );
4.
5. // bind a parameter - here the first parameter is a short string that specifies the type that the
6. // subsequent arguments should be:
7. // 's' means a string
8. // 'd' means a double
9. // 'i' means an integer
10. // 'b' is a blob
11. $query->bind_param( 's', $variable );
12.
13. // execute query:
14. $query->execute( );
15.
16. // so if we had a more complex query, which updated the user info with
17. // "favorite_color" (a string), "age" ( an integer ) and "description", a blob:
18.
19. $query = $mysqli->prepare( "UPDATE tablename SET favorite_color = ?, age = ?, description = ? WHERE user = ?" );
20. // we would have a bind looking like this:
21. $query->bind_param( 'sibs', 'red', 27, $some_blob, $variable );
22. $query->execute();
It seemed pretty simple (I'm new at php) but I'm not able to make it work. Any suggestions? Line 36 $query = $mysqli->prepare....
Notice: Undefined variable: mysqli in C:\PHP\test_form_2.php on line 36
Fatal error: Call to a member function prepare() on a non-object in C:\PHP\test_form_2.php on line 36
<?php
$userid=$_POST['userid'];
$first=$_POST['first'];
$last=$_POST['last'];
$organ=$_POST['organ'];
$email=$_POST['email'];
$comments=$_POST['comments'];
@ $db=new mysqli('localhost', 'xxx', 'xxx','xxx');
if (mysqli_connect_errno())
{
echo 'Error: Could not connect to database.';
exit;
}
$query = $mysqli->prepare("insert into itesuser values ('userid','first','last','organ','email','comments')");
$query->bind_param('$userid' , '$first' , '$last' , '$organ' , '$email' , '$comments');
$query->execute();
$result = $db->query($query);
if ($result)
echo $db->affected_rows.' record has been inserted into the database<br> <span class="style1">Thank You.</span>';
$db->close();
?>
....this is the example
1. $variable = "O'Reilly";
2. // prepare the query
3. $query = $mysqli->prepare( "SELECT x, y, z FROM tablename WHERE user = ?" );
4.
5. // bind a parameter - here the first parameter is a short string that specifies the type that the
6. // subsequent arguments should be:
7. // 's' means a string
8. // 'd' means a double
9. // 'i' means an integer
10. // 'b' is a blob
11. $query->bind_param( 's', $variable );
12.
13. // execute query:
14. $query->execute( );
15.
16. // so if we had a more complex query, which updated the user info with
17. // "favorite_color" (a string), "age" ( an integer ) and "description", a blob:
18.
19. $query = $mysqli->prepare( "UPDATE tablename SET favorite_color = ?, age = ?, description = ? WHERE user = ?" );
20. // we would have a bind looking like this:
21. $query->bind_param( 'sibs', 'red', 27, $some_blob, $variable );
22. $query->execute();
It seemed pretty simple (I'm new at php) but I'm not able to make it work. Any suggestions? Line 36 $query = $mysqli->prepare....
Notice: Undefined variable: mysqli in C:\PHP\test_form_2.php on line 36
Fatal error: Call to a member function prepare() on a non-object in C:\PHP\test_form_2.php on line 36
<?php
$userid=$_POST['userid'];
$first=$_POST['first'];
$last=$_POST['last'];
$organ=$_POST['organ'];
$email=$_POST['email'];
$comments=$_POST['comments'];
@ $db=new mysqli('localhost', 'xxx', 'xxx','xxx');
if (mysqli_connect_errno())
{
echo 'Error: Could not connect to database.';
exit;
}
$query = $mysqli->prepare("insert into itesuser values ('userid','first','last','organ','email','comments')");
$query->bind_param('$userid' , '$first' , '$last' , '$organ' , '$email' , '$comments');
$query->execute();
$result = $db->query($query);
if ($result)
echo $db->affected_rows.' record has been inserted into the database<br> <span class="style1">Thank You.</span>';
$db->close();
?>