This question already has answers here:
How to prevent against XSS and SQL injection [duplicate]
(4 answers)
Closed 6 years ago.
Sadly my student website just got hacked. Someone insert script tag and stored in the database. Database also been published in a website call pastebin. I just took down the website. Can someone show me how to fix this quick.
Use a combination of filters and prepared statements.
http://php.net/manual/en/function.filter-input.php
http://php.net/manual/en/pdo.prepared-statements.php
You can use strip_tags() before inserting any value into database to remove any HTML or PHP tags from the string.
This is how you can remove HTML and PHP tags from string,
$code=strip_tags($code);
Use it with every variable you want to insert into database.
$code=strip_tags($code);
$fn=strip_tags($fn);
$em=strip_tags($em);
$un=strip_tags($un);
$hash=strip_tags($hash);
$salt=strip_tags($salt);
$ip=strip_tags($ip);
$this->db1->query("INSERT INTO users SET code='" . $code . "', firstname='" . $fn . "', email='" . $em . "', username='" . $un . "', password='" . $hash . "', salt='" . $salt . "', registerdate='" . time() . "', ipregister='" . $ip . "'");
Although strip_tags() doesn't prevent SQL injection completely. You should better use prepared statements.
Reference: http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
Related
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 7 years ago.
Improve this question
Im self learning mySQL and php few days and now Im stuck on this error and cant help myself. Can you look at code, Thanks!
this is error
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' at line 7
here is the page
switch($_GET['action']) {
case 'add':
switch($_GET['type']) {
case 'movie':
$query = 'INSERT INTO
movie
(movie_name, movie_year, movie_type)
VALUES
("' . $_POST['movie_name'] . '",
' . $_POST['movie_year'] . ',
' . $_POST['movie_type'] . ')';
break;
}
break;
}
if (isset($query)) {
$result = mysql_query($query, $db) or die(mysql_error($db));
}
I think problem may be in here
<td><select name='movie_type'>
<?php
$query = 'SELECT movietype_label FROM movietype ORDER BY movietype_id';
$result = mysql_query($query, $db) or die (mysql_error($db));
while ($row = mysql_fetch_assoc($result)) {
foreach ($row as $value) {
echo '<option value="' . $row['movietype_id'] . '">';
echo $row['movietype_label'] . '</option>';
}
}
?>
</select></td>
and here is print_r on
Array(
[movie_name] => asd
[movie_type] =>
[movie_year] => 2015
[submit] => ADD)
Shouldn't you be using a double quote " instead of single quote ' like below. You are mixing single and double quote.
$query = "INSERT INTO
movie
(movie_name, movie_year, movie_type)
VALUES
('" . $_POST['movie_name'] . "',
'" . $_POST['movie_year'] . "',
'" . $_POST['movie_type'] . "')";
Granted this is ugly, but would be surprised if it fails.
$query = "INSERT INTO
movie (movie_name, movie_year, movie_type)
VALUES
('"
. $_POST['movie_name'] . "','"
. $_POST['movie_year'] . "','"
. $_POST['movie_type'] . "')";
Also, you need to cleanse your data. Data acted upon directly from user without cleansing, or sent through proper separation of code, can, and someday will, contain sql injection.
Ugly code like the above starts to take on some beauty with mysqli and pdo, plus the parameters are safely separated, and all the moaning about injection goes away.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question appears to be off-topic because it lacks sufficient information to diagnose the problem. Describe your problem in more detail or include a minimal example in the question itself.
Closed 8 years ago.
Improve this question
i'm new here and i need some help plz if you could give me a solution to my problem it will be great.So i need some help to resolve this probleme, here HTML
<html><body>
<form method="post" action="test.php">
Flights on: <br/>
<input type="checkbox" name="Days[]" value="Daily">Daily<br>
<input type="checkbox" name="Days[]" value="Sunday">Sunday<br>
<input type="checkbox" name="Days[]" value="Monday">Monday<br>
<input type="checkbox" name="Days[]" value="Tuesday">Tuesday <br>
<input type="checkbox" name="Days[]" value="Wednesday">Wednesday<br>
<input type="checkbox" name="Days[]" value="Thursday">Thursday <br>
<input type="checkbox" name="Days[]" value="Friday">Friday<br>
<input type="checkbox" name="Days[]" value="Saturday">Saturday <br>
<input type="submit" name="submit" value="submit">
</form>
</body>
</html>
AND the PHP one :
`
// Make a MySQL Connection
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("test") or die(mysql_error());
$checkBox = implode(',', $_POST['Days']);
if(isset($_POST['submit']))
{
$query="INSERT INTO test (c1,c2,c3,c4,c5,c6,c7) VALUES (" . $_POST['Days'][0] . ",
" . $_POST['Days'][1] . ",
" . $_POST['Days'][2] . ",
" . $_POST['Days'][3] . ",
" . $_POST['Days'][4] . ",
" . $_POST['Days'][5] . ",
" . $_POST['Days'][6] . ",
" .$_POST['Days'][7] . ")";
mysql_query($query) or die (mysql_error() );
echo "Complete";
}
?>`
it's says to me undifined offsets and :You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ',,,,)' at line 1
plzzzzz HELP!!!!
i need to insert the values of the checkbox checked into my sql db.
simply use implode()
echo "INSERT INTO test (c1,c2,c3,c4,c5,c6,c7) VALUES ('".implode("','", $_POST[Days])."')";
output:
INSERT INTO test (c1,c2,c3,c4,c5,c6,c7) VALUES ('Daily','Sunday','Monday','Tuesday','Wednesday','Thursday','Friday','Saturday')
If the checkbox is not checked it will not be posted. You can add custom keys for your checkboxes like this Days[Daily] and then check if the value is set using php:
$daly = empty($_POST['Days']['Daily']) ? 0 : $_POST['Days']['Daily'];
You should do the same thing with all checkboxes.
Reason:
The unselected checkbox will not be posted.
For instance, if you didn't select checkbox7 then $_POST['Days'][7] will be empty , your query will end with ',,)'. Like this:
INSERT INTO test (c0,c1,c2,c3,c4,c5,c6,c7) VALUES (0,1,2,3,4,5,6,,)
And also, your columns should math your fileds.
Change your query logic to something like this will work:
$query="INSERT INTO test (c0,c1,c2,c3,c4,c5,c6,c7) VALUES ('" . $_POST['Days'][0] . "',
'" . $_POST['Days'][1] . "',
'" . $_POST['Days'][2] . "',
'" . $_POST['Days'][3] . "',
'" . $_POST['Days'][4] . "',
'" . $_POST['Days'][5] . "',
'" . $_POST['Days'][6] . "',
'" .$_POST['Days'][7] . "')";
It will produce
INSERT INTO test (c0,c1,c2,c3,c4,c5,c6,c7) VALUES ('0','1','2','3','4','5','6','')
Check this out to learn how to connect to mysql. http://www.w3schools.com/php/func_mysql_connect.asp
I would recommend that before jumping straight into PHP, you should learn the basics and then start to build out your own PHP project.
Also, always look at the error given, it says that the error is on line one of your PHP code, so you should check that out to find out the problem.
Here are some of the best places to learn code...
http://www.codecademy.com/ and http://www.phptherightway.com/
The first one is interactive and is probably the most useful to get you started. Then check out PHP the right way as this will show you how to make PHP project the right and most up to date way.
Good luck on your future PHP projects. :)
Error is here: $checkBox = implode(',', $_POST['Days']);
the ',' part - you should use "','" instead of ',' because sql needs each values within single quote marks.
and here: VALUES (" . $_POST['Days'][0] . ", .... , " .$_POST['Days'][7] . ")";
you are missing starting single quote mark for first value and ending single quote mark for final value. so add extra single quote mark after open the bracket and before ending the bracket:
VALUES ('" . $_POST['Days'][0] . ", .... , " .$_POST['Days'][7] . "')";
*And use mysqli_ with prepared statements and don't use mysql_ when dealing with database since it will be deprecated soon. and for a better security.
Hey i think you need to change your php. You need to store it in the variables. Please check this code and tell me it is working or not.And you need to add one more - c8
// Make a MySQL Connection
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("test") or die(mysql_error());
$checkBox = implode(',', $_POST['Days']);
$days1=$_POST['Days'][0];
$days2=$_POST['Days'][1] ;
$days3=$_POST['Days'][2] ;
$days4=$_POST['Days'][3] ;
$days5=$_POST['Days'][4] ;
$days6=$_POST['Days'][5] ;
$days7=$_POST['Days'][6] ;
$days8=$_POST['Days'][7] ;
if(isset($_POST['submit']))
{
$query="INSERT INTO test (c1,c2,c3,c4,c5,c6,c7,c8) VALUES ('$days1',
'$days1','$days2','$days3','$days4','$days5','$days6','$days7','$days8');
mysql_query($query) or die (mysql_error() );
echo "Complete";
}
?>
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I have this code:
$list_summoners = $con->query("SELECT * FROM verified_users WHERE Username='" . $search_user . "'");
and I was wondering how I could format it, like:
$list_summoners = mysqli_query($con, "SELECT * FROM verified_users WHERE Username='" . $search_user . "'");
echo '<table align="center" style="text-align:center;"><tr><th>User</th><th>Summoner ID</th><th>Summoner Region</th><th>View Summoner</th></tr>';
while($row = mysqli_fetch_array($list_summoners)) {
echo '<tr><td>' . $row['username'] . '</td><td>' . $row['summoner_id'] . '</td><td>' . $row['summoner_region'] . '</td><td><span class="button color_dark">View</span></td></tr>';
}
echo '</table>';
I am asking this, because I know mysqli_query is open to abuse.
Thanks in advance.
mysqli_query($con, 'SELECT...') called in procedural mode, vs $con->query('SELECT...') called in object-oriented mode perform exactly the same function. In both modes, $con is the same object - a mysqli connection object, but the MySQLi API offers two methods of interacting with it.
So, the use of mysqli_query() and $con->query() are both equally insecure when used the way you are using them, concatenating in a variable $search_user. The secure method would be to avoid mysqli_query() entirely and instead use a prepared statement:
$stmt = $con->prepare('SELECT * FROM verified_users WHERE Username = ?');
if ($stmt) {
$stmt->bind_param('s', $search_user);
$stmt->execute();
// Then bind & fetch()...
}
else echo $con->error;
See How can I prevent SQL injection in PHP for more details & examples on executing and fetching from the prepared statement.
Using $con->query() as you are, to fetch rows with a while loop you may call $list_summoners->fetch_array() as it is an object of class mysqli_result
if ($list_summoners) {
while ($row = $list_summoners->fetch_array()) {
echo '<table align="center" style="text-align:center;"><tr><th>User</th><th>Summoner ID</th><th>Summoner Region</th><th>View Summoner</th></tr>';
echo '<tr><td>' . htmlspecialchars($row['username']) . '</td><td>' . htmlspecialchars($row['summoner_id']) . '</td><td>' . htmlspecialchars($row['summoner_region']) . '</td><td><span class="button color_dark">View</span></td></tr>';
echo '</table>';
}
}
Note the addition of htmlspecialchars() to those values, when sent to output as HTML. Even if these were not originated from user input, it is an important habit to be in as it will prevent cross-site scripting when outputting values originating from user input, or values which contain characters requiring entity encoding in HTML.
It is showing parsing error on line 17 I have thoroughly checked it but unable to find error.So how do I fix this error.it is insert_city_query.php
<?php
include('../../Connections/autodealers.php');
//error_reporting(0);
$cityname=$_POST['cityname'];
$cityorder=$_POST['cityorder'];
$status=$_POST['status'];
if($status="Enabled")
$status=1;
else
$status=0;
$query = "INSERT INTO ".$db_prefix."city (cityname,cityorder,status) values
(
'" . addslashes($cityname) . "' ,
'" . addslashes($cityorder) . "' ,
'" . addslashes($status) . " '
WHERE LCASE='strtolower($_REQUEST['cityname'])')";
echo $query;
$result=mysql_query($query);
if(!$result)
{
die ('ERROR: '.mysql_error());
header("Location: " .$base_url. "admin/city_insert.php" );//if query fails
}
else
{
header("Location: " .$base_url. "admin/cities.php" );//if query suceeds
}
mysql_close($autodealers);
?>
Change your query to,
$query = "INSERT INTO ".$db_prefix."city (cityname,cityorder,status) values
('" . addslashes($cityname) . "' ,
'" . addslashes($cityorder) . "' ,
'" . addslashes($status) . " '
WHERE LCASE='" . strtolower($_REQUEST['cityname']) . "')";
Note: Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.
Warning: The query is vulnerable with SQL Injection if the value (s) of the variables came from the outside. Please take a look at the article below to learn how to prevent from it.
How to prevent SQL injection in PHP?
You do not use strtolower() as a function.
You should change this line:
WHERE LCASE='strtolower($_REQUEST['cityname'])')";
to
WHERE LCASE='".strtolower($_REQUEST['cityname'])."')";
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
The below echo statement,
$statement = "INSERT INTO $tbl_name VALUES(" . $_GET['username'] . "," . $_GET['password'] . "," . $_GET['PasswordHintQuestion'] . "," . $_GET['PasswordHintAnswer'] . "," . $_GET['firstname'] . "," . $_GET['lastname'] . "," . $_GET['genderSelect'] . "," . $_GET['date_in_format'] . "," . $_GET['nationality'] . "," . $_GET['refEmail'] . ")" ;
echo $statement;
gave the ouput as,
INSERT INTO ge_user_table VALUES([object HTMLInputElement],[object HTMLInputElement],[object HTMLInputElement],[object HTMLInputElement],[object HTMLInputElement],[object HTMLInputElement],[object NodeList],[object HTMLSelectElement]/[object HTMLSelectElement]/[object HTMLSelectElement],[object HTMLInputElement],[object HTMLInputElement])Database Insertion fault on registration
But during insertion into database I got the error as,
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '[object HTMLInputElement],[object HTMLInputElement],[object
HTMLInputElement],[o' at line 1
But, the below query is working fine.
INSERT INTO ge_user_table VALUES('Muthu2','1234','Who are you?','Iam Indian','Muthu','Ganapathy','MALE','1991-12-21','Indian','abc#abc.com');
EDIT :
I have changed the code to,
$username = mysql_escape_string($_GET['username']);
$password = mysql_escape_string($_GET['password']);
$hintQues = mysql_escape_string($_GET['PasswordHintQuestion']);
$hintAns = mysql_escape_string($_GET['PasswordHintAnswer']);
$firstname = mysql_escape_string($_GET['firstname']);
$hintQues = mysql_escape_string($_GET['lastname']);
$gender = mysql_escape_string($_GET['genderSelect']);
$date = mysql_escape_string($_GET['date_in_format']) ;
$nationality = mysql_escape_string($_GET['nationality']) ;
$email = mysql_escape_string($_GET['refEmail']) ;
$statement = "INSERT INTO $tbl_name VALUES('$username' ,'$password','$hintQues' ,'$hintAns','$firstname' ,'$lastname' ,".
"'$gender' ,'$date','$nationality','$email')" ;
But,the database has entry as,
Final Solution:
I have passed form.username in html instead of form.username.value. Now Got it correct.
It look like you have error in javascript. you send html DOM Node instead of value.
Also you should escape your get variables like
mysql_real_escape_string($_GET['username']);
TRY THIS
$username = mysql_escape_string($_GET['username']);
$password = mysql_escape_string($_GET['password']);
$hintQues = mysql_escape_string($_GET['PasswordHintQuestion']);
$hintAns = mysql_escape_string($_GET['PasswordHintAnswer']);
$firstname = mysql_escape_string($_GET['firstname']);
$hintQues = mysql_escape_string($_GET['lastname']);
$gender = mysql_escape_string($_GET['genderSelect']);
$date = mysql_escape_string($_GET['date_in_format']) ;
$nationality = mysql_escape_string($_GET['nationality']) ;
$email = mysql_escape_string($_GET['refEmail']) ;
$statement = "INSERT INTO $tbl_name VALUES('$username' ,'$password','$hintQues' ,'$hintAns','$firstname' ,'$lastname' ,".
"'$gender' ,'$date','$nationality','$email')" ;
echo $statement;
Always try to keep the statement as readable as possible .. also whenever string needs to be inserted .. it should be propery quoted Also always use mysql_escape_string() to avoid sql injection.
Possible problem can be ..you are passing html element itself instead of its value
Your sql syntax is wrong you can use mysql_real_escape_string but you also need to care about how you are passing values to sql.
In above query you symply passed text without quotes.
$statement = "INSERT INTO $tbl_name VALUES('".$_GET['username']."', '".$_GET['password']."', '".$_GET['PasswordHintQuestion']."', '".$_GET['PasswordHintAnswer']."', '".$_GET['firstname']."', '".$_GET['lastname']."', '".$_GET['genderSelect']."', '".$_GET['date_in_format']."', '".$_GET['nationality']."', '".$_GET['refEmail']."')" ;