I have the following php script to insert a form user input data into the database. Is mysqli_real_escape_string enough to prevent SQL injection if I don't wish to use prepared statements to bind parameters to "?" placeholder?
$link = mysqli_connect("localhost", "root", "", "bizcontact");
$name = mysqli_real_escape_string($link, $_POST['name']);
$company = mysqli_real_escape_string($link, $_POST['company']);
$position = mysqli_real_escape_string($link, $_POST['position']);
$contact = mysqli_real_escape_string($link, $_POST['contact']);
$email = mysqli_real_escape_string($link, $_POST['email']);
$gender = mysqli_real_escape_string($link, $_POST['gender']);
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$sql = "INSERT INTO businesscontact(name, company, position, phone, email, gender) VALUES('$name', '$company', '$position', '$contact', '$email', '$gender')";
if (mysqli_query($link, $sql)){
echo "success";
}else{
echo(mysqli_error($link));
};
/* close connection */
mysqli_close($link);
?>
UPDATE
$stmt = $link->prepare("INSERT INTO businesscontact(name, company, position, phone, email, gender) VALUES(?,?,?,?,?,?)");
$stmt-> bind_param("ssssss", $name, $company, $position, $contact, $email, $gender);
if($stmt->execute()){
echo "success";
}else{
echo(mysqli_error($link));
}
No comments:
Post a Comment