0

I made a php function and a jquery function with the aim of being able to update any of my database tables from any html form.

All I have to do is add the appropriate TABLE tag to the form and the appropriate ROW Tag to the inputs.

It works fine but I'm concerned about it from a security aspect.

Note that I am using $query=mysql_real_escape_string(stripslashes($query)); and the "ACCOUNT_ID=".$_SESSION['account'] in my where clause which should prevent one user from being able to overwrite anothers data.

But I wandering what else I may have missed or what other problems could potentially arise?

database.php

<?
 class Database {

    public function __construct() {
    $server = "localhost";
    $username = "user";
    $pass = "password";     
    mysqli_connect($server, $username, $pass) or die("cannot connect");
    mysqli_select_db("database") or die("cannot select DB");
}

public function Update($query) {
    $query=mysql_real_escape_string(stripslashes($query));
    $response = mysqli_query($query);
    return $response;
}
?>

update.php

<?
require_once 'database.php';
session_start();
Update($_POST);

function Update($fields) {
    $db = new Database();
    $table = $fields['TABLE'];
    unset($fields['TABLE']);
    $qry = array();
    foreach ($fields as $key => $value) {
        array_push($qry, " " . $key . "='" . $value . "'");
    }
    $qry = implode(",", $qry);
    $update = "UPDATE $table SET";
    $clause = "WHERE ID=" . $fields['ID'] . " AND ACCOUNT_ID=".$_SESSION['account'];
    $sqlQry = $update . $qry . $clause;
    $response = $db->Update($sqlQry);
    return $response;
}
?>

user_details.php

 <head>
  <script src="Scripts/jquery-1.8.3.min.js" type="text/javascript"></script>
 </head>
 <body>
 <form id="myForm" TABLE="USERS">
 <input id="name" type="text" ROW="USER_NAME"/>
 <input id="age" type="text" ROW="USER_AGE"/>
 <input id="email" type="text" ROW="EMAIL"/>
 <input class="submit" type="submit" value="update"/>
 </form>

 <script>
 $(function(){

   $('.submit').click(function(){
     var data = {};
     var form = $(this).parent();
     data.TABLE = form.attr('TABLE');
     var fields=$('form input, form select');
     $(fields).each(function(i, e) {
       var input = $(e);
       var dbKey = input.attr('ROW');
       var value = input.attr('value');
       if (dbKey && value) {
          data[dbKey] = value;
         }
       $.post('update.php',data);
     });

    });
 </script>
 </body>
andrew
  • 9,313
  • 7
  • 30
  • 61
  • Use prepared statements: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php/60496#60496 – Boundless Sep 05 '13 at 17:10

1 Answers1

0

Use prepared statements to insure there isn't sql injection attacks. You can never trust the user's data, and never rely on sanitizing it, because there will always be a case that you don't check for. A good example can be found here: How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
Boundless
  • 2,444
  • 2
  • 25
  • 40