39: Protect your database against SQL injection using MySQLi | PHP tutorial | Learn PHP programming

Learn to protect your database against SQL injection using MySQLi. Today we will learn how to protect our database from SQL injection using MySQLi. The MySQLi function is called mysqli_real_escape_string(), and helps escape any form text that the user passes on from the website, in case they try to inject code into our database.

In the next episode we will learn how to interact with our database using Prepared Statements, which is a preferred method of interacting with databases, since it is safer and in some cases faster.


First of all, thank you for all the support you have given me!

I am really glad to have such an awesome community on my channel. It motivates me to continue creating and uploading content! So thank you!

I am now using Patreon to share improved and updated lesson material, and for a small fee you can access all the material. I have worked hard, and done my best to help you understand what I teach.

I hope you will find it helpful 🙂

Material for this lesson:

Nguồn: https://svdpch.org/

Xem thêm bài viết khác: https://svdpch.org/cong-nghe/

38 thoughts on “39: Protect your database against SQL injection using MySQLi | PHP tutorial | Learn PHP programming”

  1. You are a God-send! Thank you for your awesome tutorials; they have helped me soooo much in school with my assignments! Thank you for being so detailed!

  2. This would have been much better if, instead of talking about 'some code', you had demonstrated an SQL Injection string, DROP TABLE etc and its effects on the database.
    And it wouldn't have taken very long either.

  3. I have a question that 'Is this prepared statement required only when taking input from the user or is it necessary while displaying any data without user input. Thanks

  4. Is SQL injection only an issue for text fields? I assume so as it’s the only one where the user can enter anything, but anyway I just wanted some clarification. Thanks

  5. Due to some reason the data entered in the web page is not captured in the database. What could be the reason. By the way your teaching method is excellent. Thank you so much . God bless you…..

  6. is it necessary to use mysqli_real_escape_string with numbers? I mean if im getting a user id in $_POST variable should I write $userid = mysqli_real_escape_string($con,$_POST["userid"]);?

  7. Actually you are the best, GO ON
    i got this problem : Any suggestions
    in browser http://localhost:81/connectToDatabase/includes/signup.inc.php
    Notice: Undefined index: first in C:xampphtdocsconnectToDatabaseincludessignup.inc.php on line 4

    Notice: Undefined index: last in C:xampphtdocsconnectToDatabaseincludessignup.inc.php on line 5

    Notice: Undefined index: uid in C:xampphtdocsconnectToDatabaseincludessignup.inc.php on line 6

    Notice: Undefined index: email in C:xampphtdocsconnectToDatabaseincludessignup.inc.php on line 7

    Notice: Undefined index: pwd in C:xampphtdocsconnectToDatabaseincludessignup.inc.php on line 8

  8. Is it necessary to have two "$conn" ??

    I mean we put "$conn" in each variable to keep it connect to the sever
    while we hv already put it below " mysqli_query($conn, $sql)"

    Does it function the same thing while only keep either one ??

    Please let me know if above is not clear.

  9. I do not understand how people dislike this video. It delivers what it promises and it does so amazingly.

  10. thanks indeed,it was very fascinating but

    how can I update with function is called mysql_real_escape_string(), to insert some data like mmtut'''s lecture or simply data with quotes.

  11. Instead of all that typing, I use filter_var_array and sanitize the string: $POST = filter_var_array($_POST, FILTER_SANITIZE_STRING);

  12. Hahahahaha I was able to log into my server using 'OR''=' as the username and password. After watching this video, that doesn't work anymore : P (noob coder here). Still paranoid my friends are out to get me by sql injection : O

  13. I wish I could write code that detects when special characters are being used by the hacker in the input field, and then my code records their IP address and punishes them for trying to hack into my database, by sending a missile to their doorstep. That would be fun. New tutorial idea coming soon 😉

  14. The first video I found on how to protect database from sql injection, usually other videos don't tell us about this, really awesome man

  15. wait, so do we use both the 'real_escape_string' method and the prepared statements method, or just one of them (of which 'prepared statements' is more robust against hacker injection)?

  16. Plz why did you put quotes around variables after values?
    Like '$first'
    Should not we put quotes around variabes????
    BTY thank you soo much

  17. Do you known that you have foreigners students that follow your tutorial in your channel ? please can you put the subtitles also in this video. thanks

  18. I need some assistance here… For some reason, I have two tables but it is now not inserting into the 2nd table… Can someone please help me?


Leave a Comment