Check Php variables to proper MySql type (prepare for Insert query)

Question

If i'm going to query mysql with this:

mysql_query("INSERT INTO subscribers (email, referral_id, user_id, ip_address)
VALUES ('$user_email', '$user_refer', '$user_share', '".$_SERVER['REMOTE_ADDR']."')");

How can I check those variables (eg $user_mail), that has been just read from $_REQUEST["user_mail"], respects their MySql type (varchar(30) notnull)?

Once I saved all $_REQUEST in $vars are there any fast function to check MySql types?

Start using PDO : http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php/60496#60496 — Duikboot, Jun 06 '13 at 07:37
if you are not checking its length before putting in sql query it simply give you error. — Rajeev Ranjan, Jun 06 '13 at 07:43

score 1 · Accepted Answer · answered Jun 06 '13 at 07:44

Firstly, you should be using prepared statements with PDO or MySQLi. I'd recommend PDO. There are a few examples of prepared statements w/ PDO on the PHP website.

Secondly, your app should control what gets sent to the database. You could write up custom validation rules to match each column:

if(strlen(trim($_REQUEST["user_mail"])) > 30){
    //Show error to user because they're not going to like having
    //their mail truncated without warning.
}

You can also look into using the SQL query:

DESCRIBE NameOfYourTable

Check Php variables to proper MySql type (prepare for Insert query)

1 Answers1