Trying to create a mysql injection proof script [closed]
I'm just a beginner, What's wrong with my code, I'm trying to experiment on this so that the webpages I'm going to create will not be vulnerable to mysql injections. What's the correct way of doing this:
<?php
$host="localhost";
$username="root";
$password="";
$db_name="testing";
$tbl="hospital";
$connection=mysql_connect($host, $username, $password) or die("cannot connect!");
mysql_select_db($db_name, $connection) or die("cannot select db!");
$LASTNAME = $_POST[lname];
$FIRSTNAME = $_POST[fname];
$FIRSTNAME=(isset($_POST['fname']||trim($_POST['fname'])=="")?die('Error:Enter Firstname!')
mysql_escape_string(trim($_PO开发者_如何学JAVAST['fname']));
$sqlque="INSERT INTO hospital (LASTNAME, FIRSTNAME)
VALUES ('$LASTNAME', '$FIRSTNAME')";
if (!mysql_query($sqlque,$con))
{
die('Error: ' . mysql_error());
}
echo "<script>alert('Record successfully added!')</script>";
mysql_close($con)
?>
Here's the error, please help, thanks:
Parse error: parse error, expecting `','' or `')'' in C:\wamp\www\sql injection check\aisaction.php on line 20
use prepared statements
There is a missing :
after die('Error:Enter Firstname!')
Just an update for anyone who comes across this question. The preferred method now would be to use PDO http://php.net/manual/en/book.pdo.php and prepared statements.
Specifically the MySQL extension either is no longer, or soon will not be supported in PHP. PDO is also more portable than MySQL or MySQLi
$db = new PDO(/*connection info*/);
$sql = "SELECT * FROM tbl WHERE condition1 = :param1 AND condition2 = :param2";
$stmt = $db->prepare($sql);
$stmt->bindValue(":param1", 10);
$stmt->bindValue(":param2", "banana");
$stmt->execute();
精彩评论