Prevent sql injection in q2a custom php form ?

Question 1

This is how i store data in mysql via php form. I know its security risk.

Examples - $price = $_POST['price'];

OR

$price = array_key_exists('price', $_POST) ? $_POST['price'] : "";

and sql query is -

$insertqry = qa_db_query_sub("INSERT INTO test_table (title, price) VALUES ('$title','$price')");

How should i post data in latest php 7 and above version ?
I think escape string is deprecated or outdated.

Thanks for your help !

Question 2

Hello, the qa_db_query_sub function exists exactly for this purpose, however you're not quite using it correctly. You need to add placeholders to the query then pass the variables separately. Use # for a number and $ for a string.

So your example should be:

$insertqry = qa_db_query_sub("INSERT INTO test_table (title, price) VALUES ($, #)", $title, $price);

Also if you're using Q2A tables, use ^ to automatically add the correct table prefix, so ^posts becomes qa_posts.

Question 3

Thank you scott !

Scott · Answer 1 · 2020-05-06T16:19:08+0000

Hello, the qa_db_query_sub function exists exactly for this purpose, however you're not quite using it correctly. You need to add placeholders to the query then pass the variables separately. Use # for a number and $ for a string.

So your example should be:

$insertqry = qa_db_query_sub("INSERT INTO test_table (title, price) VALUES ($, #)", $title, $price);

Also if you're using Q2A tables, use ^ to automatically add the correct table prefix, so ^posts becomes qa_posts.

Prevent sql injection in q2a custom php form ?

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Categories

Prevent sql injection in q2a custom php form ?

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.

Related questions

Categories