Click here to Skip to main content
14,934,046 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
i'm just starting to learn mysqli and don't know how to apply it in my old project..
so here is my code:
PHP
<?php
    $sName = "***";
    $conInfo = array( "Database"=>"***", "UID"=>"***", "PWD"=>"***");

    $oconn = sqlsrv_connect( $sName, $conInfo);

    if( !$oconn ) {
        die( print_r( sqlsrv_errors(), true));
    }

      if(isset($_POST['searchimput'])) {
          if(empty($_POST['coc_type'])){
     echo 'Please Supply Policy type and search by field';
          }
         else {
    $plateno = $_POST['searchimput'];
    $coc_type = $_POST['coc_type'];

    $searchBy =$_POST['filter'];
    echo'<span  class="sr-paregister2">';
    echo 'POLICY TYPE : '.$coc_type;
    echo "<br>\n";

    switch ($searchBy) {
        case "PLATE_NO":
            echo "PLATE NUMBER : .".$plateno;
            break;
        case "SERIAL_NO":
            echo "CHASSIS NUMBER :".$plateno;
            break;
        case "MOTOR_NO":
            echo "MOTOR NUMBER :".$plateno;
            break;
        default:
            echo "";
    }
    echo'</span>';
    echo "<br>\n";
    echo '<hr>';

    $odsql =" select statement here ";

    $ostmt = sqlsrv_query( $oconn, $odsql);

    $row_count = sqlsrv_has_rows( $ostmt );

    if ($row_count === false)
       echo "No record found";
    else
    while( $value = sqlsrv_fetch_array( $ostmt,SQLSRV_FETCH_NUMERIC))
    {
       (do this......)
    }

    sqlsrv_free_stmt( $ostmt);
    sqlsrv_close( $oconn);
    }
    }

    ?>



and also how do i sanitize this code using mysqli?
thanks

What I have tried:

i'm just starting to learn mysqli and don't know how to apply it in my old project..
Posted
Updated 6-Aug-18 4:00am
Comments
Jochen Arndt 6-Aug-18 6:05am
   
And what is your problem?

The code is generally looking OK besides that sqlsrv_close( $oconn); should be called after the last closing '}' and the parameter name 'searchimput' might be wrong (O would expect it to be 'searchinput').

And you do know that the used PHP SQL functions are for Microsoft SQL Server databases requiring the MS SQLSRV driver for PHP?

We can't help more because we did not know about your database and you have even not shown a valid SQL query.

1 solution

Don't "sanitzie" it; use parameters:
PHP: SQL Injection - Manual[^]
PHP: Prepared statements and stored procedures - Manual[^]

You'll also want to HTML-encode any user input before echoing to the response:
PHP: htmlentities - Manual[^]
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900