Is my code vulnerable to SQL injection?


I am creating a CMS but I do not know how to write the code to get saved from sql injection, Let me know if there is sql injection vulnerability in my code.


        $servername = "localhost";
        $username = "root";
        $password = "";
        $db = "bangla";
        $con = new mysqli($servername, $username, $password, $db);
        mysqli_query($con, "SET CHARACTER SET utf8");
        mysqli_query($con, "SET SESSION collation collation='utf8_general_ci'");

        $id = NULL;

        $name = $_POST['name'];
        $name = strip_tags($name);
        $name = htmlentities($name);
        $name = mysqli_real_escape_string($con, $name);

        $distrct = $_POST['distrct'];
        $distrct = strip_tags($distrct);
        $distrct = htmlentities($distrct);
        $distrct = mysqli_real_escape_string($con, $distrct);

        $division = $_POST['division'];
        $distrct = strip_tags($division);
        $distrct = htmlentities($division);
        $distrct = mysqli_real_escape_string($con, $division);

        $stmt = $con->prepare("INSERT INTO couts (id, name, distrct, division) VALUES( ?,?,?,?)");
        $stmt->bind_param('ssss', $id, $name, $distrct, $division);
            echo "New record created successfully";


You don’t need strip_tags().

You don’t need htmlentities().

You don’t need mysqli_real_escape_string().

Just use query parameters.

Answered By – Bill Karwin

This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply

(*) Required, Your email will not be published