How to correctly pass a variable to a database query?

V

Valery Gutin2018-04-08 19:25:51

PHP

Valery Gutin, 2018-04-08 19:25:51

For sampling, you need to pass the value of the ID variable. What is the safest way to do this?

$id = $_GET["id"];

$res = $mysqli->query("SELECT * FROM goods WHERE id = '$id'");

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

R

Rsa97, 2018-04-08
@Rsa97

Use prepared expressions with placeholders.

M

MaximMRX, 2018-04-08
@GM_pAnda

If you write something of your own and you need to use the base, then in order not to invent a bicycle with PDO, I use the RedBeanPHP ORM, it is this ORM that has proven itself well. Easy to use, good documentation and quite fast

B

Boris Syomov, 2018-04-08
@kotomyava

If you are learning, then immediately forget about the existence of mysql(i), and master PDO. Use parameter binding and prepared expressions. And never use variables in the query text...
If for some reason, this is some kind of legacy code that cannot be rewritten and you must use mysqli, then at least check the type and value of id, for example, using filter_var ($id, FILTER_VALIDATE_INT). Or in another suitable way. Attention: not is_int(), because $_GET["id"] is a string...