Monday, January 29, 2018

php - Is this a secure method to insert form data into a MySQL database?





Possible Duplicate:
How can I prevent SQL injection in PHP?







This is the example on w3schools.org:



HTML form:




    
        


            Firstname: 
            Lastname: 
            Age:



File insert.php:




    $con = mysql_connect("localhost","peter","abc123");
    if (!$con)
    {
        die('Could not connect: ' . mysql_error());
    }

    mysql_select_db("my_db", $con);


    $sql="INSERT INTO Persons (FirstName, LastName, Age)
          VALUES
          ('$_POST[firstname]','$_POST[lastname]','$_POST[age]')";

    if (!mysql_query($sql,$con))
    {
        die('Error: ' . mysql_error());
    }
    echo "1 record added";


    mysql_close($con)
?>


I've read through other questions on here, but I couldn't find a direct answer, as most were much more complicated.



I looked at How can I prevent SQL injection in PHP?, but I'm a bit confused on how to modify this:



$preparedStatement = $db->prepare('INSERT INTO table (column) VALUES (:column)');


$preparedStatement->execute(array(':column' => $unsafeValue));


Assuming I used the HTML form above and wanted to insert the data from field 'firstname' into the database, should it look like this? Or am I supposed to modify column?:



$preparedStatement = $db->prepare('INSERT INTO table (column) VALUES (:column)');

$preparedStatement->execute(array(':column' => $firstname));

Answer




The example you provided inserts the post vars into the database without first analyzing them for evil user input. Use type casting, escaping/filter functions, prepared statements etc. before using them to interact with your DB.



A general rule to go by is to never trust user input. EVER!



Check out: Best way to stop SQL Injection in PHP



In response to your question, here is how you'd handle the entire form using PDO prepared statements.



$stmt = $db->prepare('INSERT INTO Persons (FirstName, LastName, Age) VALUES (:first_name, :last_name, :age)');


$stmt->execute(array(':first_name' => $first_name,':last_name' => $last_name, ':age' => $age));


If you just want to insert one column in the record like you asked, the syntax would be:



$stmt = $db->prepare('INSERT INTO Persons (FirstName) VALUES (:first_name)');

$stmt->execute(':first_name', $first_name);

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

plot explanation - Why did Peaches' mom hang on the tree? - Movies & TV

In the middle of the movie Ice Age: Continental Drift Peaches' mom asked Peaches to go to sleep. Then, she hung on the tree. This parti...