Skip to content
Advertisement

How to prevent SQL injection in Question2Answer?

I want to prevent SQL injection in Question2Answer.

This is how I store data in MySQL via HTML form. I know it’s a security risk.

Examples –

$price = $_POST['price']; 

OR

$price = array_key_exists('price', $_POST) ? $_POST['price'] : "";

and SQL query is –

$insertqry = qa_db_query_sub("INSERT INTO test_table (title, price) VALUES ('$title','$price')");

How should I post data in the latest PHP 7 and above version?

I think escaping strings is deprecated or outdated.

Advertisement

Answer

Based on what little information I can find you need to use qa_db_query_sub with placeholder values:

 qa_db_query_sub("INSERT INTO test_table (title, price) VALUES ($,$)", $title, $price);

You will want to check with the official documentation, which I can’t find, to be sure that’s correct.

As a note, if you’re trying to build a full application I’m not sure this platform is the best to build on top of. There are a lot of other frameworks that are much better documented and have a lot more community support.

4 People found this is helpful
Advertisement