huddds
Reputation: 1045
how to make my variable safe for database insertion?
I have a variable which I need to strip of sybols before inserting into my database, any ideas how I would add the mysql_real_escape_string() function to my existing code?
Form page
This page is a basic html form which shows the database content.
<?php
$query = sprintf( "SELECT * FROM sitecontent WHERE ID = $_GET[id]");
$result = mysql_query($query) or die (mysql_error());
$post = mysql_fetch_array($result);
?>
<form action="editp.php" method="POST" name="editform">
<label for="pName" style="padding:10px; ">Post Title</label>
<input type="text" name="pName" style=" width:550px;border:#000099; margin:10px;" value="<?php echo $post['Post_Title']; ?>"/>
<label for="pCategory" style="padding:10px; ">Category</label>
<input type="text" name="pCategory" style=" width:50px;border:#000099; margin:10px;" value="<?php echo $post['Post_Year']; ?>"/>
<label for="pItem" style="padding:10px;">Item Type</label>
<select name="pItem" style="border:#000099; margin:10px;">
<option value="1">News</option>
<option value="2">Review</option>
</select>
<label for="pName" style="padding:10px;">Article ID</label>
<input type="text" name="pID" style="border:#000099; margin:10px;" value="<?php echo $post['ID']; ?>"/>
<label for="pName" style="padding:10px;">Post Date</label>
<input type="text" name="pDate" style="border:#000099; margin:10px;" value="<?php echo $post['Date']; ?>">
<label for="pName" style="padding:10px;">Post Author</label>
<input type="text" name="pAuthor" style="border:#000099; margin:10px;" value="<?php echo $post['Post_Author']; ?>"/>
<label for="pName" style="padding:10px;">Home Page</label>
<select name="Page" style="border:#000099; margin:10px;">
<option value="0">None</option>
<option value="1">Home</option>
</select>
<label for="pPriority" style="padding:10px;">Home Priority</label>
<select name="pPriority" style="border:#000099; margin:10px;">
<option value="0">None</option>
<option value="1">1</option>
<option value="2">2</option>
<option value="3">3</option>
<option value="4">4</option>
</select>
<label for="pName" style="padding:10px;">Post Content</label>
<textarea style="width:550px; height:200px;border:#000099; margin:10px;" type="text" name="pContent" id="pContent" value="<?php echo $post['Post_Content']; ?>"><?php echo $post['Post_Content']; ?></textarea>
<span id="btnStrong" style=" padding: 2px 8px;background-color:#C00;font-family:'Trebuchet MS', Arial, Helvetica, sans-serif; color:#FFF; cursor:pointer;">Bold</span> <span id="btnItalic" style=" padding: 2px 8px; background-color:#C00;font-family:'Trebuchet MS', Arial, Helvetica, sans-serif; color:#FFF; cursor:pointer;">Italic</span>
<label for="pImage_Name" style="padding:10px;">Image Name</label>
<input type="text" name="pImage_Name" style="border:#000099; margin:10px; width:550px;" value="<?php echo $post['Image_Name']; ?>"/>
<label for="pApproval" style="padding:10px;">Approval</label>
<select name="pApproval" style="border:#000099; margin:10px;">
<option value="0">Pending</option>
<option value="1">Approved</option>
</select>
<input type="hidden" name="id" value="<?php echo $_GET['id']; ?>"/>
<span style="margin-left:10px;">Please check the changes above before submitting</span> <br/>
<input type="submit" name="go" value="Submit Changes" style=" padding: 2px 8px;background-color:#C00; color:#FFF; margin:10px;"/>
</form>
<?php
$updateq = "UPDATE sitecontent WHERE ID = '$_POST[id]'";
?>
Update page
This is the page that writes the content from the form to the database.
<?php
include'includes/connection.php';
$pName = $_POST['pName'];
$pItem = $_POST['pItem'];
$pCategory = $_POST['pCategory'];
$pDate = $_POST['pDate'];
$pAuthor = $_POST['pAuthor'];
$pContent = $_POST['pContent'];
$Page = $_POST['Page'];
$id = $_POST['id'];
$pApproval = $_POST['pApproval'];
$pPriority = $_POST['pPriority'];
$pImage_Name = $_POST['pImage_Name'];
$updateq = "UPDATE sitecontent SET ID = '$pID', Post_Title = '$pName', Post_Year = '$pCategory', Date = '$pDate', Post_Author = '$pAuthor', Post_Content = '$pContent', Page = '$Page', Post_Approval = '$pApproval', Priority = '$pPriority', Image_Name = '$pImage_Name' WHERE ID = '$_POST[id]'";
$result = mysql_query($updateq) or die (mysql_error());
header("Location:admin.php");
?>
Upvotes: 0
Views: 1742
Answers (3)
Baba
Reputation: 95131
You can also try to filter all with a simple foreach
foreach($_POST as $key => $value)
{
$value = filter_var($value, FILTER_SANITIZE_STRING);
$value = mysql_real_escape_string($value);
$_POST[$key] = $value ;
}
Upvotes: 0
Bono
Reputation: 4849
For strings just say:
$pName = mysql_real_escape_string($_POST['pName']);
For integers:
$id = intval($_POST['id']);
That's all there is to it; just do it for all your variables
edit
Anyways, I'd advise you to use PDO in stead, way better to prevent sql injection!
Upvotes: 5
David-SkyMesh
Reputation: 5171
Ouch! Don't do that!
$updateq = "UPDATE sitecontent SET ID = '$pID', ... WHERE ID = '$_POST[id]'";
$result = mysql_query($updateq) or die (mysql_error());
What if I post this?
id=1%37%3B%20delete%20from%20sitecontent%20where%20%37%37%3D%37
That would make your query look like:
$updateq = "UPDATE sitecontent SET ID = '$pID', ... WHERE ID = '1'; delete from sitecontent where ''=''";
This is called SQL injection. Please use database query placeholders!
Even if the database driver disallows multiple statements per query, you can still alter someone elses records!
Upvotes: 1
Related Questions
- What's a better way to make this insert more secure and safe from injection and manipulation
- PHP variable hacking
- How to safely insert code in mySQL database
- How to safely insert data to mysql using php pdo
- Is my PHP Code Secure
- secure php variable before insert it to database
- How can i secure this PHP script?
- How do i secure this PHP script?
- How to protect this code from sql injection?
- How to avoid "PHP injection"