Sun. Jan 19th, 2020

Host your Website

Read and learn

39: Protect your database against SQL injection using MySQLi | PHP tutorial | Learn PHP programming

1 min read

Learn to protect your database against SQL injection using MySQLi. Today we will learn how to protect our database from SQL injection using MySQLi. The MySQLi function is called mysqli_real_escape_string(), and helps escape any form text that the user passes on from the website, in case they try to inject code into our database.

In the next episode we will learn how to interact with our database using Prepared Statements, which is a preferred method of interacting with databases, since it is safer and in some cases faster.


First of all, thank you for all the support you have given me!

I am really glad to have such an awesome community on my channel. It motivates me to continue creating and uploading content! So thank you!

I am now using Patreon to share improved and updated lesson material, and for a small fee you can access all the material. I have worked hard, and done my best to help you understand what I teach.

I hope you will find it helpful 🙂

Material for this lesson:

35 thoughts on “39: Protect your database against SQL injection using MySQLi | PHP tutorial | Learn PHP programming

  1. is it necessary to use mysqli_real_escape_string with numbers? I mean if im getting a user id in $_POST variable should I write $userid = mysqli_real_escape_string($con,$_POST["userid"]);?

  2. Actually you are the best, GO ON
    i got this problem : Any suggestions
    in browser http://localhost:81/connectToDatabase/includes/
    Notice: Undefined index: first in on line 4

    Notice: Undefined index: last in on line 5

    Notice: Undefined index: uid in on line 6

    Notice: Undefined index: email in on line 7

    Notice: Undefined index: pwd in on line 8

  3. Is it necessary to have two "$conn" ??

    I mean we put "$conn" in each variable to keep it connect to the sever
    while we hv already put it below " mysqli_query($conn, $sql)"

    Does it function the same thing while only keep either one ??

    Please let me know if above is not clear.

  4. Hahahahaha I was able to log into my server using 'OR''=' as the username and password. After watching this video, that doesn't work anymore : P (noob coder here). Still paranoid my friends are out to get me by sql injection : O

  5. wait, so do we use both the 'real_escape_string' method and the prepared statements method, or just one of them (of which 'prepared statements' is more robust against hacker injection)?

Comments are closed.

Copyright © All rights reserved. | Newsphere by AF themes.