jayzeng · December 11, 2015 22:39
diff --git a/sql injection.php b/sql injection.php
 <?php

 // init connection
 $pdo = new PDO("mysql:host=localhost;dbname=database", "username", "password");

 // Bad bad bad!!!
 // quote - ecscape + plus quote
 $username = $pdo->quote($_GET['user']);
 $pdo->query("SELECT * FROM users where username = $username");

 // mysqli, "manual" escaping
 // mysqli, oo way
 $mysqli = new mysqli('localhost', 'username', 'password', 'database');

 $username = $mysqli->real_escape_string($_GET['user']);
 $mysqli->query("SELECT * FROM users WHERE username = '$username'");

 // Prepare 
 // PDO, prepared statement
 $pdo->prepare('SELECT * FROM users WHERE username = :user');
 $pdo->execute(array(':username' => $_GET['user']));

 // mysqli, prepared statements
 $query = $mysqli->prepare('SELECT * FROM users WHERE username = ?');
 $query->bind_param('s', $_GET['username']);
 $query->execute();
	<?php

	// init connection
	$pdo = new PDO("mysql:host=localhost;dbname=database", "username", "password");

	// Bad bad bad!!!
	// quote - ecscape + plus quote
	$username = $pdo->quote($_GET['user']);
	$pdo->query("SELECT * FROM users where username = $username");

	// mysqli, "manual" escaping
	// mysqli, oo way
	$mysqli = new mysqli('localhost', 'username', 'password', 'database');

	$username = $mysqli->real_escape_string($_GET['user']);
	$mysqli->query("SELECT * FROM users WHERE username = '$username'");

	// Prepare
	// PDO, prepared statement
	$pdo->prepare('SELECT * FROM users WHERE username = :user');
	$pdo->execute(array(':username' => $_GET['user']));

	// mysqli, prepared statements
	$query = $mysqli->prepare('SELECT * FROM users WHERE username = ?');
	$query->bind_param('s', $_GET['username']);
	$query->execute();