Re: Protecting MySQL Injection from PHP form

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jason Pruim wrote:
Hi Everyone,

I think I have found away to prevent SQL code injection into my database and just wanted to get everyones comments on my method.

<?PHP
include 'defaults.php';

// Setting error message variable to nothing
$errmsg = "";

// Check form info
if (!isset($_POST['FName']) || empty($_POST['FName'])) $errmsg .="<P>Please enter your name</P>"; if (!isset($_POST['LName']) || empty($_POST['LName'])) $errmsg .="<P>Please enter your address</P>"; if (!isset($_POST['Add1']) || empty($_POST['Add1'])) $errmsg .="<P>Please enter your city</P>"; if (!isset($_POST['City']) || empty($_POST['City'])) $errmsg .="<P>Please enter your state</P>"; if (!isset($_POST['State']) || empty($_POST['State'])) $errmsg .="<P>Please enter your zip code</P>"; if (!isset($_POST['Zip']) || empty($_POST['Zip'])) $errmsg .="<P>Please include your zipe code</P>"; if (!isset($_POST['subName']) || empty($_POST['subName'])) $errmsg .="<P> Please enter your submitter name</P>";


// Tell script what to do if there is a error message
if ($errmsg!= "") {
echo $errmsg;
echo "<a href=\"javascript:history.back();\">Please go back and fill out the missing fields</a>";
exit;
} else {
echo "<p>success: all fields were filled out</p>";
}


$FName= $_POST['FName'];
$LName= $_POST['LName'];
$Add1= $_POST['Add1'];
$Add2= $_POST['Add2'];
$City= $_POST['City'];
$State= $_POST['State'];
$Zip= $_POST['Zip'];
$Date= $_SERVER['REQUEST_TIME'];
$Record= "\t";
$subName= $_POST['subName'];
$subEmail= $_POST['subEmail'];
$subPhone= $_POST['subPhone'];
$chkMember=serialize($_POST['chkMember']);
$chkAdd=serialize($_POST['chkAdd']);
$chkDel=serialize($_POST['chkDel']);



echo "$FName First Name<BR>";
$link = mysqli_connect($server, $username, $password, $database)
    or die('Could not connect: ' . mysql_error());
echo 'Connected successfully <BR>';
//mysqil_select_db('legion') or die('Could not select database' . mysql_error());
echo 'DB selected <BR>';


//Create the statement
$stmt = mysqli_prepare($link, "INSERT INTO current VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?)"); mysqli_stmt_bind_param($stmt, 'sssssssssssssss', $FName, $LName,$Add1, $Add2, $City, $State, $Zip, $Date, $Record, $subName, $subEmail, $subPhone, $chkMember, $chkAdd, $chkDel);
//Add the record
mysqli_stmt_execute($stmt);
printf("%d Row Inserted.\n", mysqli_stmt_affected_rows($stmt));

//Close the statement
mysqli_stmt_close($stmt);



?>

The reason I am echoing $FName just above the link was a debugging tool to make sure that it was filling at least SOME of the field properly before inserting them into the database.

Also, just for planning purposes, I do plan on adding authentication to the form (Which I think I can do and track with sessions) but I have alot more reading to do before I can get that right.

One other thing... What I did to test it was in the $FName field I typed: "Jason"; "SELECT * FROM table"; and it inserted the value, but didn't execute the code, Am I correct in thinking that I'm fairly safe from the bad people and the stupid users?

I cannot see any sql-injection protection in your code anywhere? Seems as your using mysqli, take a look at the mysqli_real_escape_string() function. You need to run each _POST variable throught it.

	$FName = mysqli_real_escape_string($_POST['FName']);

Or if your post data only contains data to be entered into the database, you might consider running everything through the function to make things easier:

	foreach($_POST as $k => $v)
		$_POST[$k] = mysqli_real_escape_string($v);


Darren

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux