CODEWITHSUNDEEP
phpmysqlmysqlisql-injection
truelogicINC
truelogicINC

Reputation: 119

Secured Mysqli Statement to avoid SQL Injection but the form sends only blank Info

Good day! I'm having a problem in using $stmt to avoid SQL Injection on my database. Whenever I click submit, the form only sends blank user and password but there's an multiple id that has been created. :( Is there anyone who can help me through this?

Here's my Form

<form action="index.php" method="POST">
 <h1>Create Username</h1>
    Username: <input type="text" name="user"><br />
    Password: <input type="password" name="pass"><br />
    <input type="submit" value="Submit">
</form>

And my for Action is here.

$name = $_POST['user'];
$password = $_POST['pass'];

//$mysqli is my connection stored at my config.php
if ($stmt = $mysqli->prepare("INSERT INTO users (user, password) VALUES (?, ?)")) {

// Bind the variables to the parameter as strings. 
$stmt->bind_param("ss", $name, $password);

// Execute the statement.
$stmt->execute();

// Close the prepared statement.
$stmt->close(); 
}

if($stmt){
 echo "Data Sent";
}else{
 echo "Error in Sending";
}

Upvotes: 0

Views: 39

Answers (1)

Mahdyfo
Mahdyfo

Reputation: 1173

Mysqli doesn't quote like PDO. Do it manually.

INSERT INTO `users` (`user`, `password`) VALUES ('?', '?')

For validating user, if you are using password_hash() and password_verify() functions of php select them first and check password.

If you're using md5, sha1, ... first md5 the input password from post, then

 select * from `users` where `username`= '...' AND `password` = 'Here it should be the hashed pw';

Upvotes: 2

Related Questions