This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
I'm currently using the following insert query to update values in mysql using php:
$UpdateQuery = "UPDATE `mysqldb`.`cu_data` SET
`app_status` = '".$_POST['Est']."',
`nacionalidad` = '".$_POST['Nac']."',
`ciudad_ini` = '".$_POST['CiudadI']."',
`ciudad_ent` = '".$_POST['CiudadE']."',
`ciudad_dest` = '".$_POST['CiudadD']."',
`ciudad_land` = '".$_POST['PEntrada']."',
`uso_consr` = '".$_POST['U_Abog']."',
`start` = '".$_POST['Envi']."',
`t1` = '".$_POST['Cob']."',
`t2` = '".$_POST['Acus']."',
`t3` = '".$_POST['Invit']."',
`t4` = '".$_POST['Entre']."',
`t5` = '".$_POST['Recibo']."',
`t6` = '".$_POST['EnvioF)']."',
`t7` = '".$_POST['DatInternet']."',
`t8` = '".$_POST['SoliMed']."',
`t9` = '".$_POST['OrdeMe']."',
`t10` = '".$_POST['SoliciPasa']."',
`t11` = '".$_POST['EnvioPasas']."',
`t12` = '".$_POST['RecepPasa']."',
`end` = '".$_POST['Landing']."',
`Notas` = '".$_POST['Notas']."',
`LastChange` = NOW()
WHERE `cu_data`.`procid` = '".$_POST['Proceso']."' AND
`cu_data`.`userid` = '$userid'
";
$result = mysqli_query($con, $UpdateQuery);
The code is working, but now I'm worried about sql inyections (not only the bad kind, but also things like the user including a semi-colon in any of the form fields)
I was thinking using some kind of escaping using mysql_real_escape_string (as suggested in the sencond most voted answer to this question), but then I see some pitfalls in the comments (and I'm having a hard time understanding the most voted one).
any tips?
thanks in advance
Ps: At least for the last field (notas) I need the user to enter any symbols such as ($ # % ; : ,.>
Edited:
I did look at the suggested answer (sorry I had a bad like to another SO answer in the original question). So, as not to be duplicate, could I ask for a clue on on how to do the PDO thing to a update query like the one I'm showing above? (My php is from the mysql_ days!)
Edited (2):
Ok, so this question has been flagged as duplicate, yet I don't agree with the selected answer (the one that shows after This question already has an answer here: as that's the one I read before asking this question. I did found another one that looks more interesting (at least to me) here: Replacing mysql_* functions with PDO and prepared statements (of course this one starts to make sense once one is aware of PHP Data Objects, aka PDO, which I wasn't
Edited (3):
Well I got this to work as follow:
$UpdateQuery1 = "UPDATE `mysqldb`.`cu_data` SET
`app_status` = ?,
`nacionalidad` = ?,
`ciudad_ini` = ?,
`ciudad_ent` = ?,
`ciudad_dest` = ?,
`ciudad_land` = ?,
`uso_consr` = ?,
`start` = ?,
`t1` = ?,
`t2` = ?,
`t3` = ?,
`t4` = ?,
`t5` = ?,
`t6` = ?,
`t7` = ?,
`t8` = ?,
`t9` = ?,
`t10` = ?,
`t11` = ?,
`t12` = ?,
`end` = ?,
`Notas` = ?,
`LastChange` = NOW()
WHERE `cu_data`.`procid` = ? AND
`cu_data`.`userid` = ?";
$stmt = $con->prepare($UpdateQuery1);
$stmt->bind_param('ssssssssssssssssssssssss',
$_POST['Estatus'],$_POST['Nacionalidad'],$_POST['CiudadI'],$_POST['CiudadE'],$_POST['CiudadD'],
$_POST['PEntrada'],$_POST['Uso_Abog'],$_POST['Envi'],$_POST['Cobro_de_Fee'],
$_POST['Acus'],$_POST['Invit'],$_POST['Entre'],$_POST['Recibo'],$_POST['EnvioF'],
$_POST['DatInternet'],$_POST['SoliMed'],$_POST['OrdeMe'],$_POST['SoliciPasa'],
$_POST['EnvioPasa'],$_POST['RecepPasa'],$_POST['Landing'],$_POST['Notas'],
$_POST['Proceso'],$userid);
$stmt->execute();
As a bonus, my field Notas seems to be able to hold any text, without having to escape special character
For best protection against injection attacks, use mysqli or PDO and prepared statements. Mysql_* functions are deprecated. Info on mysqli can be found in the documentation.
For example, a query with prepared statements looks like this:
$stmt = $mysqli->prepare('SELECT lastname FROM customers WHERE id = ?');
$stmt->bind_param('i', $id);
$stmt->execute();
$stmt -> bind_result($lastName);
$stmt -> fetch();
The $id holds the string to be escaped, and the $lastName variable will hold the value returned from the database. This will prevent sql injection attacks.
Related
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 6 years ago.
I know this question is sort of dumb but I can't find out where the problem is I checked it with the codes in documentation and similar codes in stackoverflow but I can't figure out the problem.
this is my code:
if (isset($_POST['buy'])) {
$id = (int) $_POST['id'];
$name = $_POST['name'];
$price = (int) $_POST['price'];
date_default_timezone_set("Europe/London");
$date = date("Y-m-d h:i:sa");
$insquery = "INSERT INTO `purchases` (file_id, file_name, price, date) VALUES ({$id}, '{$name}', {$price}, {$date})";
$insResult = mysqli_query($con, $insquery);
if ($insResult) {
//do sth
} else {
//do sth else
}
I have tested these:
1- the post array is not empty and returns exactly those that I assigned to variables.
2- I have a table called purchases and it configured properly because I insert data in SQL and get it back successfully.
3- I have tried on SQL statement without {} around SQL variables but no luck.
and another question is after the SQL statement done how can I use the OUTPUT Inserted.ID as a variable in PHP?
thanks in advance.
date is a keyword in MySql. So use backtick (`).
INSERT INTO purchases (`file_id`, `file_name`, `price`,
`date`) ...
Instead of using direct substitution values, you could use below methods to avoid sql injection.
Using MySQLi (for MySQL):
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)");
$stmt->bind_param("sss", $firstname, $lastname, $email);
// set parameters and execute
$firstname = "John";
$lastname = "Doe";
$email = "john#example.com";
$stmt->execute();
Please refer How can I prevent SQL-injection in PHP?
Use mysqli::$insert_id for last inserted ID (Docs here)
Thanks in advance for everyone's help. I have an issue that has driven me crazy for hours. I've tried writing this several times using several methods with full error checking. I've tried single quotes on the field names, I've tried putting an SQL query in a variable and passing it to $db->prepare -- all to no avail. I've checked my permissions and everything looks good to me. I'm sure it's something simple but I'm bleary-eyed going over this and I'm just not seeing it.
$db = OpenDBConn();
// $query = "UPDATE agent_profiles SET ";
// $query .= "website = ?, display_email = ?, primary_phone = ?, secondary_phone = ?, secondary_phone_type = ?, ";
// $query .= "address_1 = ?, address_2 = ?, city = ?, state = ?, zip = ?, country = ?, description = ? ";
// $query .= "WHERE agent_id = ?";
$stmt = $db->prepare("UPDATE agent_profiles SET
website=?,
display_email=?,
primary_phone=?,
secondary_phone=?,
secondary_phone_type=?,
address_1=?,
address_2=?,
city=?,
state=?,
zip=?,
country=?,
description=?
WHERE agent_id=?");
$stmt->bind_param('ssssssssssssi', $this->website, $this->display_email, $this->primary_phone, $this->secondary_phone, $this->secondary_phone_type, $this->address_1, $this->address_2, $this->city, $this->state, $this->zip, $this->country, $this->description, $this->agent_id);
$stmt->execute();
$stmt->close();
$db->close();
Even with full error reporting and modifying the code to look for $db->error, it all looks and runs clean but doesn't save to the table. Functions used here are used in other places and work fine. Any guesses?
error_reporting(-1);
ini_set('display_errors', 'On');
Is your friend, why do you always exclude him on your journeys?
I have been reading about using $_POST values being used directly in isert statements and understand that this is an invitation for trouble. What is not clear in any of the posts I read was -
Say my form is sending 7 items to my mysqli insertion script and I use the posted values like this:
$stmt = $mysqli->prepare("INSERT INTO `advertisements` (`from`, `r_u_res`, `email`, `blockname`, `floorno`, `doorno`, `content`) VALUES (?, ?, ?, ?, ?,?,?)");
$stmt->bind_param('sssssss', $_POST['from'], $_POST['rures'], $_POST['email'], $_POST['blockname'], $_POST['floorno'], $_POST['doorno'], $_POST['content']);
$stmt->execute();
$stmt->close();
Would that be the correct way to do it? Or should I first store the posted values in a new variable and use that variable while binding? - like this :
$postedfrom = $_POST['from'];
$postedrures = $_POST['rures'];
$postedemail = $_POST['email'];
$postedblockname = $_POST['blockname'];
$postedfloorno = $_POST['floorno'];
$posteddoorno = $_POST['doorno'];
$postedcontent = $_POST['content'];
$stmt = $mysqli->prepare("INSERT INTO `advertisements` (`from`, `r_u_res`, `email`, `blockname`, `floorno`, `doorno`, `content`) VALUES (?, ?, ?, ?, ?,?,?)");
$stmt->bind_param('sssssss', $postedfrom, $postedrures, $postedemail, $postedblockname, $postedfloorno, $posteddoorno, $postedcontent);
$stmt->execute();
$stmt->close();
I saw a post OO mysqli prepared statements help please where the answer does seem to be like the code above but I want to know whether doing it like the first code poses security issues...
both forms are equivalent from a security perspective as php first resolves the values to be passed in the method call to $stmt->bind_param, thus that function sees the exact same values in both cases.
ps: both snippets look ok to me.
I was wondering if someone could help me.
Im trying to integrate some code into my application, the code that i need to integrate is written with PDO statements and i have no idea how it goes.
I was wondering if someone could help me convert it.
The code is as follows
$sql = "insert into message2 (mid, seq, created_on_ip, created_by, body) values (?, ?, ?, ?, ?)";
$args = array($mid, $seq, '1.2.2.1', $currentUser, $body);
$stmt = $PDO->prepare($sql);
$stmt->execute($args);
if (empty($mid)) {
$mid = $PDO->lastInsertId();
}
$insertSql = "insert into message2_recips values ";
$holders = array();
$params = array();
foreach ($rows as $row) {
$holders[] = "(?, ?, ?, ?)";
$params[] = $mid;
$params[] = $seq;
$params[] = $row['uid'];
$params[] = $row['uid'] == $currentUser ? 'A' : 'N';
}
$insertSql .= implode(',', $holders);
$stmt = $PDO->prepare($insertSql);
$stmt->execute($params);
You shoudl use PDO unles for some technical reason you cant. If you dont know it, learn it. Maybe this will get you started:
/*
This the actual SQL query the "?" will be replaced with the values, and escaped accordingly
- ie. you dont need to use the equiv of mysql_real_escape_string - its going to do it
autmatically
*/
$sql = "insert into message2 (mid, seq, created_on_ip, created_by, body) values (?, ?, ?, ?, ?)";
// these are the values that will replace the ?
$args = array($mid, $seq, '1.2.2.1', $currentUser, $body);
// create a prepared statement object
$stmt = $PDO->prepare($sql);
// execute the statement with $args passed in to be used in place of the ?
// so the final query looks something like:
// insert into message2 (mid, seq, created_on_ip, created_by, body) values ($mid, $seq, 1.2.2.1, $currentUser, $body)
$stmt->execute($args);
if (empty($mid)) {
// $mid id is the value of the primary key for the last insert
$mid = $PDO->lastInsertId();
}
// create the first part of another query
$insertSql = "insert into message2_recips values ";
// an array for placeholders - ie. ? in the unprepared sql string
$holders = array();
// array for the params we will pass in as values to be substituted for the ?
$params = array();
// im not sure what the $rows are, but it looks like what we will do is loop
// over a recordset of related rows and do additional inserts based upon them
foreach ($rows as $row) {
// add a place holder string for this row
$holders[] = "(?, ?, ?, ?)";
// assign params
$params[] = $mid;
$params[] = $seq;
$params[] = $row['uid'];
$params[] = $row['uid'] == $currentUser ? 'A' : 'N';
}
// modify the query string to have additional place holders
// so if we have 3 rows the query will look like this:
// insert into message2_recips values (?, ?, ?, ?),(?, ?, ?, ?),(?, ?, ?, ?)
$insertSql .= implode(',', $holders);
// create a prepared statment
$stmt = $PDO->prepare($insertSql);
// execute the statement with the params
$stmt->execute($params);
PDO really is better. It has the same functionality as MySQLi but with a consistent interface across DB drivers (ie. as long as your SQL is compliant with a different database you can theoretically use the exact same php code with mysql, sqlite, postresql, etc.) AND much better parameter binding for prepared statements. Since you shouldnt be using the mysql extension any way, and MySQLi is more cumbersome to work with than PDO its really a no-brainer unless you specifically have to support an older version of PHP.
So this is my current code:
function addPage($uniquename, $ordernum, $title, $author, $content, $privilege, $description=NULL, $keywords=NULL){
if (!$description) $description = NULL;
if (!$keywords) $keywords = NULL;
//UPDATE `table` SET `ordernum` = `ordernum` + 1 WHERE `ordernum` >= 2
$query = "UPDATE ".$this->prefix."page SET ordernum = ordernum+1 WHERE ordernum >= ?";
if ($stmt = $this->db->prepare($query)){
$stmt->bind_param("i", $ordernum);
$stmt->execute();
if (!arCheck($stmt)) return false;
} else {
$this->stmtError("addPage", $stmt->error);
}
$query = "INSERT INTO ".$this->prefix."page VALUES (LCASE(?), ?, ?, ?, ?, ?, ?, ?)";
if ($stmt = $this->db->prepare($query)){
$stmt->bind_param("sisisssi", $uniquename, $ordernum, $title, $author, $content, $description, $keywords, $privilege);
$stmt->execute();
return arCheck($stmt);
} else {
$this->stmtError("addPage", $stmt->error);
}
}
It is suppose to add a new page to the datatable. The MySQL is courtesy of Phil Hunt from Store the order of something in MySQL
I know that you can use multiquery to accomplish the same thing, however I was told that prepared statement is better in performance, and security. Is there another way to do this? Like a prepared multi query?
Also, what about doing Transactions? I'm not fully sure of what that is, I assume that it's if, let's say, the INSERT statement fails, it will undo the UPDATE statement as well?
NOTE: the arCheck function will close the statement.
Prepared statements are indeed faster for repeated queries, at least in most cases. They're also safer because they automatically escape input values, preventing SQL injection attacks. If you want to use them in PHP you'll need the MySQLi extension.
You appear to have the right idea about transactions. With MySQLi there are commit and rollback methods, otherwise you can use mysql_query("COMMIT") or mysql_query("ROLLBACK").