php - SQL Injection to statements -

this question has answer here:

• how can prevent sql injection in php? 28 answers

by setting page, "register" users mysql database, , using following code:

$name = $_post['name']; $saltedpwd = md5($definedsalt.$_post['pwd']); $email = $_post['email'];  $query = "insert `users` ( `name`, `pwd`, `email` ) values ( '$name', '$saltedpwd', '$email' )"; $insert = mysqli_query($database, $query); 

is vulnerable possible sql injections?

about email activation code, using code:

$address = $_get['email'];  if (isset($_get['val']) && (strlen($_get['val']) == 64)) { $validate = $_get['val']; }  if (isset($address) && isset($validate)) { $query = "update users set activated = 'true' ( email ='$address' , validate='$val' ) limit 1"; $result_query = mysqli_query($database, $query);  $get_member = ($database, "select name users email = '$email'"); $query_get = mysqli_fetch_array($get_member); $validated_name = $query_get['name']; $insert_validate = "insert `member` ( `name` ) values ( '$validated_name' ); $result_insert = mysqli_query($database, $insert_validate); 

is vulnerable sql injections? suppose yes, because have retrieve value $_get request, guess them allowed put like:

page.php?email=address@address.com'sql_injection'&val=123456asdfghjkl 

am wrong? if vulnerable, how prevent injections?

yes , ,

what if user enters following line name ?

','',''); any_sql_query_here -- 

then this

$query = "insert `users` ( `name`, `pwd`, `email` ) values ( '$name', '$saltedpwd', '$email' )"; 

becomes

insert `users` ( `name`, `pwd`, `email` ) values ( '','',''); any_sql_query_here --', '$saltedpwd', '$email' )"; 

you should never use direct concatenation of strings query , must use prepared statements

more prepared statements - http://php.net/manual/en/pdo.prepared-statements.php

for example , query done this

$query = "insert users (name,pwd,email) values (:name,:pwd,:email)"; $statement = $pdodatabasehandle->prepare($query); $statement->bindvalue(':name',$name); $statement->bindvalue(':pwd',$saltedpwd); $statement->bindvalue(':email',$email); $statement-execute(); 

overall sql injection explained @ wikipedia - https://en.wikipedia.org/wiki/sql_injection