Jason Pruim wrote:
Hi Everyone,
I think I have found away to prevent SQL code injection into my database
and just wanted to get everyones comments on my method.
<?PHP
include 'defaults.php';
// Setting error message variable to nothing
$errmsg = "";
// Check form info
if (!isset($_POST['FName']) || empty($_POST['FName'])) $errmsg
.="<P>Please enter your name</P>";
if (!isset($_POST['LName']) || empty($_POST['LName'])) $errmsg
.="<P>Please enter your address</P>";
if (!isset($_POST['Add1']) || empty($_POST['Add1'])) $errmsg
.="<P>Please enter your city</P>";
if (!isset($_POST['City']) || empty($_POST['City'])) $errmsg
.="<P>Please enter your state</P>";
if (!isset($_POST['State']) || empty($_POST['State'])) $errmsg
.="<P>Please enter your zip code</P>";
if (!isset($_POST['Zip']) || empty($_POST['Zip'])) $errmsg .="<P>Please
include your zipe code</P>";
if (!isset($_POST['subName']) || empty($_POST['subName'])) $errmsg
.="<P> Please enter your submitter name</P>";
// Tell script what to do if there is a error message
if ($errmsg!= "") {
echo $errmsg;
echo "<a href=\"javascript:history.back();\">Please go back and fill out
the missing fields</a>";
exit;
} else {
echo "<p>success: all fields were filled out</p>";
}
$FName= $_POST['FName'];
$LName= $_POST['LName'];
$Add1= $_POST['Add1'];
$Add2= $_POST['Add2'];
$City= $_POST['City'];
$State= $_POST['State'];
$Zip= $_POST['Zip'];
$Date= $_SERVER['REQUEST_TIME'];
$Record= "\t";
$subName= $_POST['subName'];
$subEmail= $_POST['subEmail'];
$subPhone= $_POST['subPhone'];
$chkMember=serialize($_POST['chkMember']);
$chkAdd=serialize($_POST['chkAdd']);
$chkDel=serialize($_POST['chkDel']);
echo "$FName First Name<BR>";
$link = mysqli_connect($server, $username, $password, $database)
or die('Could not connect: ' . mysql_error());
echo 'Connected successfully <BR>';
//mysqil_select_db('legion') or die('Could not select database' .
mysql_error());
echo 'DB selected <BR>';
//Create the statement
$stmt = mysqli_prepare($link, "INSERT INTO current VALUES
(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)");
mysqli_stmt_bind_param($stmt, 'sssssssssssssss', $FName, $LName,$Add1,
$Add2, $City, $State, $Zip, $Date, $Record, $subName, $subEmail,
$subPhone, $chkMember, $chkAdd, $chkDel);
//Add the record
mysqli_stmt_execute($stmt);
printf("%d Row Inserted.\n", mysqli_stmt_affected_rows($stmt));
//Close the statement
mysqli_stmt_close($stmt);
?>
The reason I am echoing $FName just above the link was a debugging tool
to make sure that it was filling at least SOME of the field properly
before inserting them into the database.
Also, just for planning purposes, I do plan on adding authentication to
the form (Which I think I can do and track with sessions) but I have
alot more reading to do before I can get that right.
One other thing... What I did to test it was in the $FName field I
typed: "Jason"; "SELECT * FROM table"; and it inserted the value, but
didn't execute the code, Am I correct in thinking that I'm fairly safe
from the bad people and the stupid users?
I cannot see any sql-injection protection in your code anywhere? Seems
as your using mysqli, take a look at the mysqli_real_escape_string()
function. You need to run each _POST variable throught it.
$FName = mysqli_real_escape_string($_POST['FName']);
Or if your post data only contains data to be entered into the database,
you might consider running everything through the function to make
things easier:
foreach($_POST as $k => $v)
$_POST[$k] = mysqli_real_escape_string($v);
Darren
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php