This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Best way to prevent SQL Injection in PHP
Is this code secure since i am using mysql_real_escape_string and strip_tags
Is there any need to change to pdo ?
I am not able to convert the following code to pdo because its displaying cannot modify header .
<?php
include('config.php');
$link =mysql_connect($db_host,$username,$password);
mysql_select_db($db_name);
$id= $_POST["uniqi"];
$comments= $_POST["comments"];
$comments= mysql_real_escape_string($comments);
$comments = strip_tags($comments);
$update = "UPDATE mastertable SET comments = '$comments' WHERE id_pk= '$id'";
mysql_query($update, $link);
mysql_close();
header('Location: http://www.xxxx.com/xxxxx/xxxx.php?cntmsg=Comment Updated');
?>
This is not safe code - your $id variable is not processed by your code.
$id= $_POST["uniqi"];
$id= mysql_real_escape_string($id);
$id = strip_tags($id);
Related
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
i have a problem with mycode '=''or'
$connect= mysqli_connect($host, $user, $password, $database);
if (isset($_POST["sub"])){
$userr =$_POST["username"];
$passs =$_POST["password"];
$password = hash('sha256', $passs);
$query="select * from user WHERE username='$userr'AND password='$password'";
$run=mysqli_query($connect,$query);
if(mysqli_num_rows($run))
{
header("Location: index.php");
$_SESSION['username']=$userr;
exit;
}
else {
$pri ='<center><br/> error </center>';
}
}
mysqli_close($connect);
so when anyone doing bypass using '=''or' it will go to index.php
I don't know really how to fix it ..
Just properly escape the $userr and $password variables for using in sql statement like this:
$query="select * from user WHERE username='".mysqli_real_escape_string($connect, $userr)."' AND password='". mysqli_real_escape_string($connect, $password)."'";
You can lookup php mysqli sql injection for more information.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
here my code called data.php
<?php
sql = db->query('SELECT* FROM tb_karyawan order by kar_id desc');
while($data = $sql->fetch(PDO::FETCH_ASSOC)){
} ?>
nilai.php?hal=tambah&kd=
and my nilai.php
<?php
$sql = $db->query('SELECT * FROM tb_karyawan WHERE kar_id=$_GET["kar_id"]) .');
$data = $sql->fetch(PDO::FETCH_ASSOC);
?>
how to get kar_id from previous page to next page by $_GET METHOD using PDO i am new for PDO
THANKS
<?php
while($data = $sql->fetch(PDO::FETCH_ASSOC)){ ?>
Link
<?php }
?>
nilai.php:
$kar_id = $_GET["kar_id"];
$sql = $db->prepare('SELECT * FROM tb_karyawan WHERE kar_id=:kar_id');
$sql->bindValue(':kar_id', $kar_id , PDO::PARAM_INT);
$sql->execute();
This question already has answers here:
How to bind LIKE values using the PDO extension?
(7 answers)
Closed 7 years ago.
i am going to prevent SQL injection using PDO but i Want to know can my code prevent SQL injection
Here is my code
connection.php
<?php
$hostname='localhost';
$username='root';
$password='root';
try {
$pdo_obj = new PDO("mysql:host=$hostname;dbname=dbname",$username,$password);
$pdo_obj->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$pdo_obj->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PDOException $e)
{
echo $e->getMessage();
}
?>
my function.php
<?php
function getdata($pdo_obj, $sql, $params=NULL) // pdo prepaired statements
{
$stmt = $pdo_obj->prepare($sql);
$stmt->execute($params);
return $stmt;
}
?>
and my page.php
<?php
$searchTerm = $_GET['term'];
$result=getdata($pdo_obj,"SELECT b_type FROM b_details WHERE b_type LIKE '%".$searchTerm."%'")->fetchAll();
// my work
?>
every thing working fine but i am not sure is this code prevent SQL Injection
Thanks in Advance
You aren't using your function's ability to protect from injection. To do so you have to send any data via parameters.
<?php
$searchTerm = '%'.$_GET['term'].'%';
$sql = "SELECT b_type FROM b_details WHERE b_type LIKE ?";
$result = getdata($pdo_obj, $sql, [$searchTerm])->fetchAll(PDO::FETCH_COLUMN);
BTW, I added a PDO::FETCH_COLUMN constant that will make the returned array more convenient, given only one column is selected.
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
Given this code:
mysqli_set_charset('utf8');
$id = mysqli_real_escape_string($_GET['id']);
$result = mysqli_query($con,"SELECT * FROM post WHERE id_post = '$id'");
if (mysqli_num_rows($result) == 0) {
header('Location: 404.php');
die();
} else {
// Continue...
}
And this:
$id = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT);
// New PDO...
$Ps = $Pdo->prepare('SELECT * FROM post WHERE id_post = :id');
$Ps->execute(array(':id', $id));
if ($Ps->rowCount() == 0) {
header('Location: 404.php');
die();
} else {
// Continue...
}
Is there a best option to prevent SQL Injection or the are equivalent?
Second option is the way to go. Using mysql_real_escape_string() leaves open some space for sql injection using some exotic multibyte character. Ref: SQL injection that gets around mysql_real_escape_string()
Alternatively you can use prepared statment with mysqli
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions concerning problems with code you've written must describe the specific problem — and include valid code to reproduce it — in the question itself. See SSCCE.org for guidance.
Closed 9 years ago.
Improve this question
help me with this code i am new to php
<?php
$conn=mysql_connect("localhost","root","","test");
if(isset($_POST['submit']))
{
$sql="INSERT INTO registration(fname,designation,emailid,
address,phonenumber)VALUES('".$_POST['fname']."','".$_POST['designation']."','".$_POST['ema
lid']."', '".$_POST['address']."','".$_POST['phonenumber']."')";
echo $sql;
$result=mysql_query($conn,$sql);
echo $result;
}
else{
echo "Error";
}
?>
its a registration page getting values and inserting it in the table...
You have the parameters around the wrong way here:
$result=mysql_query($conn,$sql);
Try
$result=mysql_query($sql, $conn) or die(mysql_error($conn));
Side notes:
Don't use mysql_*() functions: they're deprecated. Use mysqli_*() versions instead.
You should escape your user inputs with mysql_real_escape_string() to protect against SQL Injection attacks. Consider using prepared statements with mysqli_() instead.
Take a look at this link which is a good tutorial for inserting data (from a form etc.) to a mysql database.
Also: be aware of sql-injection and prevent it. here is a tutorial on how to do this: link
If you want to have readable code, set the $_POST[] values to a variable, and then pass them to the query, it's not different in fact but this is more easy and clean.:
<?php
$conn=mysql_connect("localhost","root","","test");
if(isset($_POST['submit']))
{
$fname = $_POST['fname'];
$designation = $_POST['designation'];
$emailid = $_POST['emailid'];
$address = $_POST['address'];
$phonenumber = $_POST['phonenumber'];
$sql="INSERT INTO registration(fname,designation,emailid,address,phonenumber)";
$sql .="VALUES('$fname', '$designation', '$emailid', '$address', '$phonenumber')";
echo $sql;
$result=mysql_query($conn,$sql);
echo $result;
}
else{
echo "Error";
}
?>
you hade a typing mistake in $_POST['emailid']...
and you can select your database with this:
mysql_select_db('your db name');
put this line after your connection variable means $conn
and this is wrong:
$result = mysql_query ($conn, $sql)
you have to set the query first:
$result = mysql_query($sql, $conn)