benjiman benjiman - 4 months ago 10
MySQL Question

PHP and MySQL form submit

In this block of code where do I put mysqli_real_escape_string() ?

Or if you have a better way of writing the whole block I'm interested to hear.

<?php
$title = ($_POST["title"]);
$date = ($_POST["date"]);
$content = ($_POST["content"]);

$query = "INSERT INTO months (";
$query .= " title, date, content ";
$query .= ") VALUES (";
$query .= " '{$title}', '{$date}', '{$content}' ";
$query .= ")";
mysqli_query($connection, $query); ?>

Answer

It would be the best to use prepared statements.

$stmt = mysqli_prepare($connection, "INSERT INTO months (title, date, content) 
                                VALUES(?, ?, ?)");

mysqli_stmt_bind_param($stmt, "sss", $title, $date, $content);
$title = $_POST["title"]; 
$date = $_POST["date"]; 
$content = $_POST["content"]; 
mysqli_stmt_execute($stmt);

When using an escape function and string concatenation there might still be cases in which sql injection is possible. Prepared Statements work differently, so they are secure against sql injection. http://stackoverflow.com/a/60496/3595565