MySQLi. PHP. GET. POST. Insert. Update. Delete. Segur SQL Inject

Juan_Antonio · May 7, 2020, 3:58pm

About SQL Injection in MySQLi.

This interesting discussion on Kodular gave me the idea to adapt my code to a higher level of security. It is about protecting it against SQL Inject,…

… for this I used the ideas of this tutorial:

2.- MySQLi + PHP + POST + App Inventor.

p340B_mysqli_php_post.aia (3.8 KB)

<?php
// Juan Antonio Villalpando
// http://kio4.com/appinventor/340D_appinventor_mysqli_inject.htm

// 1.- IDENTIFICACION nombre de la base, del usuario, clave y servidor
$db_host="localhost";
$db_name="my_database";
$db_login="juan";
$db_pswd="contraseña";

// 2.- CONEXION A LA BASE DE DATOS
$link = new mysqli($db_host, $db_login, $db_pswd, $db_name);

if($link->connect_error) {
  exit('Error de conexion con la base de datos.');
}
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$link->set_charset("utf8mb4");

$boton = $_POST['boton'];

///////////////////////////////   INSERTAR - INSERT ////////////////////////////////////
if ($boton == "btnInsertar"){
    $Nombre = $_POST['Nombre'];
    $Edad = $_POST['Edad'];
    $Ciudad = $_POST['Ciudad'];
$stmt = $link->prepare("INSERT INTO personas (Nombre, Edad, Ciudad) VALUES (?, ?, ?)");
$stmt->bind_param("sss", $Nombre, $Edad, $Ciudad);
$stmt->execute();
$stmt->close();
print("Datos agregados a la base.");
}

///////////////////////////////   BORRAR - DELETE  ////////////////////////////////////
if ($boton == "btnBorrar"){
    $Nombre = $_POST['Nombre'];
$stmt = $link->prepare("DELETE FROM personas WHERE Nombre = ?");
$stmt->bind_param("s", $Nombre);
$stmt->execute();
$stmt->close();
print("Datos borrados.");
}

//////////////////////////////   ACTUALIZAR - UPDATE  ///////////////////////////////
if ($boton == "btnActualizar"){
    $Nombre = $_POST['Nombre'];
    $Edad = $_POST['Edad'];
    $Ciudad = $_POST['Ciudad'];
$stmt = $link->prepare("UPDATE personas SET Edad = ?, Ciudad = ? WHERE Nombre = ?");
$stmt->bind_param("sss", $Edad, $Ciudad, $Nombre);
$stmt->execute();
$stmt->close();
print("Datos modificados.");
}

///////////////////// BUSCAR POR NOMBRE - SEARCH BY NAME /////////////////////////////
if ($boton == "btnBuscarNombre"){
	$Nombre=$_POST['Nombre'];
$stmt = $link->prepare("SELECT * FROM personas WHERE Nombre = ?");
$stmt->bind_param("s", $Nombre);
$stmt->execute();
$stmt->bind_result($id, $Nombre, $Edad, $Ciudad); 
     while ( $stmt-> fetch() ) {
          echo $id.",".$Nombre.",".$Edad.",".$Ciudad."\n";
     }
$stmt->close();
}

/////////////////////// MOSTRAR TABLA - SHOW TABLE  /////////////////////////////////////
if ($boton == "btnVerTabla"){
$stmt = $link->prepare("SELECT * FROM personas");
$stmt->bind_param();
$stmt->execute();
$stmt->bind_result($id, $Nombre, $Edad, $Ciudad); 
     while ( $stmt-> fetch() ) {
          echo $id.",".$Nombre.",".$Edad.",".$Ciudad."\n";
     }
$stmt->close();
}
/////////////////////// OBTENER ORDENADO - GET SORT  /////////////////////////////////////
if ($boton == "btnOrdenar"){
	$Columna = $_POST['Columna'];
$stmt = $link->prepare("SELECT * FROM personas ORDER BY $Columna ASC");
$stmt->bind_param();
$stmt->execute();
$stmt->bind_result($id, $Nombre, $Edad, $Ciudad); 
     while ( $stmt-> fetch() ) {
          echo $id.",".$Nombre.",".$Edad.",".$Ciudad.","."\n";
     }
$stmt->close();
}
///////////////////////////////////////////////////////////////////
?>

If you also use encrypted data, for example with this extension com.KIO4_SecretKey.aix, the data will be more protected.

Regards,
(Tutorial in Spanish)

Interesting about SQL Inject.

Kent_Lou · January 2, 2021, 7:41pm

I want to make a project like this but it is about Register and Login. Please help.

Juan_Antonio · January 3, 2021, 6:00pm

First do the examples on this page to see if they work for you.

AppHelper_Studio · September 10, 2022, 5:11am

Very very thank you For this. But can you tell me how I can detect that if there(MySql) any data changed I got the result in my app. is this possible? Please try to reply.

TIMAI2 · September 10, 2022, 9:00am

I believe you will have to poll your dB from the app at regular intervals, unless you are able to set up a listener of some kind.

Juan_Antonio · September 10, 2022, 9:54am

@AppHelper_Studio

Take a look at

Firebase realtime as data base.

JavaScript (ajax) MySQL in realtime.

AppHelper_Studio · September 10, 2022, 3:15pm

Thank you very much.

Sterio_Berooz · August 25, 2023, 9:55am

hi , I had problem with inserting data from phone device to database
got 1101 error and I couldn't understand what's going on!! please help as an English document . when check the query link with browser and insert data , query worked and great. but in app didn't work and show me error.
(unable to get a response with specified URL)

TIMAI2 · August 25, 2023, 11:41am

You need to show your relevant blocks, and your php file

Sterio_Berooz · August 25, 2023, 11:59am

that's you talked about its waste my time and didn't make any sense - when I did same as blown - today I did same as many video on the internet . I opened his file project and everything just upload ,don't change anything, but didn't work.

Frank-HRO · April 25, 2024, 12:42pm

Hello,

I'm using PHP 8.1 and I'm having a problem displaying data.

/////////////////////  SEARCH BY NAME /////////////////////////////
if ($boton == "btnBuscarNombre"){
	$Nombre=$_POST['Nombre'];
$stmt = $link->prepare("SELECT * FROM personas WHERE Nombre = ?");
$stmt->bind_param("s", $Nombre);
$stmt->execute();
$stmt->bind_result($id, $Nombre, $Edad, $Ciudad); 
     while ( $stmt-> fetch() ) {
          echo $id.",".$Nombre.",".$Edad.",".$Ciudad."\n";
     }
$stmt->close();
}

This query works and returns one or more results.

///////////////////////  SHOW TABLE  /////////////////////////////////////
if ($boton == "btnVerTabla"){
$stmt = $link->prepare("SELECT * FROM personas");
$stmt->bind_param();
$stmt->execute();
$stmt->bind_result($id, $Nombre, $Edad, $Ciudad); 
     while ( $stmt-> fetch() ) {
          echo $id.",".$Nombre.",".$Edad.",".$Ciudad."\n";
     }
$stmt->close();
}

This query doesn't work and returns the result .

Is it possible that under PHP 8 the command $stmt->bind_param(); no longer works without a parameter in the round brackets?

Frank

Taifun · April 25, 2024, 12:53pm

As this is a php specific question let me suggest you to ask in a php community, for example at stackoverflow.com

Taifun

Frank-HRO · April 25, 2024, 1:21pm

Hello Taifun,

that's what I'm going to do.

Maybe Juan_Antonio as the creator of the script has another idea.

Frank

TIMAI2 · April 25, 2024, 1:52pm

See here ?

Frank-HRO · April 25, 2024, 5:31pm

Frank-HRO:

///////////////////////  SHOW TABLE  /////////////////////////////////////
if ($boton == "btnVerTabla"){
$stmt = $link->prepare("SELECT * FROM personas");
$stmt->bind_param();
$stmt->execute();
$stmt->bind_result($id, $Nombre, $Edad, $Ciudad); 
     while ( $stmt-> fetch() ) {
          echo $id.",".$Nombre.",".$Edad.",".$Ciudad."\n";
     }
$stmt->close();
}

Solution: Delete

$stmt->bind_param();

and it's working.

Frank

Taifun · May 25, 2025, 8:34pm

7 posts were split to a new topic: 403 Forbidden while trying to connect to web server

Mohammed_Alkabsi · May 28, 2025, 1:18pm

we need full project aia please with php code

TIMAI2 · May 28, 2025, 1:34pm

The full aia, php and mysql setup is provided by @Juan_Antonio, in the posts above.

Allen · October 22, 2025, 1:37pm

I'm doing a project, it helped me very much, but how can I show a img at my project ?
2025-10-22T00:00:00Z

TIMAI2 · October 22, 2025, 3:39pm

You can upload images as blobs directly into mySQL (there is another guide here by @Juan_Antonio on this very topic - read the whole topic), but the recommended method is to upload the image to a directory on your server and get the url to the image (you can use php for this as well), and store this url in the mySQL database. Ensure your image directory has permissions for saving and reading. You should consider resizing your images to suit your target audience.