Hi, I'm fairly new to PHP and MySQL, and I'm having a problem. I did some research about protecting against SQL injection, and decided prepared statements seemed to be the best way to go. The problem is, I don't think it's working the way it's supposed to. If I understand right, no matter what I input I shouldn't be able to make MySQL choke because the parameters are separate from the query. However, when I input the ' character, the query doesn't execute, making me think it's still vulnerable in some way. Strangely, using mysql_error() doesn't show anything.
I'm using PHP 4 and MySQL 5.0. I know they're old, but I have no choice in the matter. Am I doing this correctly, or is there a better way to defend against SQL injection? Here's an example of what I'm using
$statement = "PREPARE edit_customer FROM 'UPDATE customers SET customer_name=?, customer_address=?, customer_contact=?, customer_phone=?, customer_email=?, customer_notes=?'";
@mysql_query($statement);
@mysql_query("SET @customer_name = '$customerName'");
@mysql_query("SET @customer_address = '$customerAddress'");
@mysql_query("SET @customer_contact = '$customerContact'");
@mysql_query("SET @customer_phone = '$customerPhone'");
@mysql_query("SET @customer_email = '$customerEmail'");
@mysql_query("SET @customer_notes = '$customerNotes'");
$query = "EXECUTE edit_customer USING @customer_name, @customer_address, @customer_contact, @customer_phone, @customer_email, @customer_notes";
$result = @mysql_query($query);
@mysql_query("DEALLOCATE PREPARE edit_customer");
if ($result) {
echo "<p>Customer edited.</p>";
} else {
$errors[] = "Database error.";
echo "<p>SQL ERROR: " . mysql_error() . "</p>";
}
