Regarding SQL statements, we are using old SQL statements that are prone to SQL injection at this company I'm working for (they're all computer programmers with not alot of web experience) and I am trying to get them and myself to move towards using prepared statements. I have read so much about it already, but it's still a bit unclear.
For example, we are using an include(/mnt/configdb.php) and then a db_connect(); in our PHP files to connect to each SQL DB through an ini file using SQL (not SQLi). I want to use better methods/statements perhaps mysqli_connect() that will be flexible when we need to change servers and update SQL info (in the event of a server move). Any idea on what would work best? mysqli_connect() vs mysql_connect or using a function call to connect to the ini file on server like I'm doing already?
For example, I would like to set it up so that I create one connect.php file and it has multiple database connections for each schema I need to access, then I just include that file and the sqli statements in the necessary PHP file that is sending all the variables to the SQL DB that it needs to connect to. What's the best way to go about this or how can I convert what I have already (below) and turn it into sqli and prepared statements? Should I even use SQLi?? Or just stick with SQL?
configdb on server:
function db_config_cables()
{
//Parse and store the db ini file, this will return an associative array
global $dbhost, $dbuser, $dbpass, $dbname;
//Point to global ini file
$config_info = parse_ini_file('config.ini', true);
//Call specific db
$dbhost = $config_info['tablename_here']['db_host'];
$dbuser = $config_info['tablename_here']['db_user'];
$dbpass = $config_info['tablename_here']['db_pass'];
$dbname = $config_info['tablename_here']['db_name'];
}
accessdb file on server:
function db_connect()
{
global $dblink, $dbhost, $dbuser, $dbpass, $dbname;
$dblink = @mysql_connect($dbhost, $dbuser, $dbpass) or die ('DB ERROR - Could not connect: '.mysql_error());
@mysql_select_db($dbname) or die ('DB Error - Could not select: '.mysql_error());
}
function close_db()
{
global $dblink;
@mysql_close($dblink) or die ('DB ERROR - Could not close: '.mysql_error());
}
PHP file used to post data to SQL database:
require("/mnt/library/configdb.php");
require("/mnt/library/accessdb.php");
//Connect to SQL DB
db_config_cables();
db_connect();
$unsafe_variable = $_POST['unsafe_variable'];
mysql_query("INSERT INTO tablename (column_name,...) VALUES('$unsafe_variable',...)")
/* close connection */
close_db();